{
	"id": "e5c870a8-b02f-4b73-ae8b-5fceb6d26216",
	"created_at": "2026-04-06T00:19:30.617443Z",
	"updated_at": "2026-04-10T13:12:31.058706Z",
	"deleted_at": null,
	"sha1_hash": "16129d460107870815c609df745211f15e0765fc",
	"title": "REvil ransomware gang's web sites mysteriously shut down",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2220846,
	"plain_text": "REvil ransomware gang's web sites mysteriously shut down\r\nBy Lawrence Abrams\r\nPublished: 2021-07-13 · Archived: 2026-04-05 20:22:51 UTC\r\nThe infrastructure and websites for the REvil ransomware operation have mysteriously gone offline as of last night.\r\nThe REvil ransomware operation, aka Sodinokibi, operates through numerous clear web and dark web sites used as ransom\r\nnegotiation sites, ransomware data leak sites, and backend infrastructure.\r\nStarting last night, the websites and infrastructure used by the REvil ransomware operation have mysteriously shut down.\r\nhttps://www.bleepingcomputer.com/news/security/revil-ransomware-gangs-web-sites-mysteriously-shut-down/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/revil-ransomware-gangs-web-sites-mysteriously-shut-down/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nREvil Tor site no longer accessible\r\n\"In simple terms, this error generally means that the onion site is offline or disabled. To know for sure, you'd need to contact\r\nthe onion site administrator,\" the Tor Project's Al Smith told BleepingComputer.\r\nWhile it is not unheard of for REvil sites to lose connectivity for some time, all sites to shut down simultaneously is unusual.\r\nFurthermore, the decoder[.]re clear website is no longer resolvable by DNS queries, possibly indicating the DNS records for\r\nthe domain have been pulled or that backend DNS infrastructure has been shut down.\r\nREvil domain no longer resolves to DNS queries\r\nRecorded Future's Alan Liska said that the REvil web sites went offline at approximately 1 AM EST this morning.\r\nThis afternoon, the LockBit ransomware representative posted to the XSS Russian-speaking hacking forum that it is\r\nrumored the REvil gang erased their servers after learning of a government subpoena.\r\n\"Upon uncorroborated information, REvil server infrastructure received a government legal request forcing REvil to\r\ncompletely erase server infrastructure and disappear. However, it is not confirmed,\" the post says in Russian translated to\r\nEnglish for BleepingComputer by Advanced Intel's Vitali Kremez.\r\nhttps://www.bleepingcomputer.com/news/security/revil-ransomware-gangs-web-sites-mysteriously-shut-down/\r\nPage 3 of 5\n\nLockBit forum post about REvil\r\nSoon after, the XSS admin banned REvil's 'Unknown,' the public-facing representative of the ransomware gang, from the\r\nforum.\r\n\"As a rule of thumb, the administration of the top forums bans its users when they are suspected of being under the\r\npolice control,\" explained Kremez.\r\nREvil's 'Unknown' banned from hacking forum\r\nIf you have first-hand information about the shut down, you can confidentially contact us on Signal at +16469613731 or on\r\nWire at @lawrenceabrams-bc.\r\nFeeling the heat\r\nOn July 2nd, the REvil ransomware gang encrypted approximately 60 managed service providers (MSPs) and over 1,500\r\nindividual businesses using a zero-day vulnerability in the Kaseya VSA remote management software.\r\nAs part of these attacks, REvil initially demanded $70 million for a universal decryptor for all victims but quickly dropped\r\nthe price to $50 million.\r\nSince then, the ransomware group has been under increased scrutiny by law enforcement, which did not seem to faze\r\n'Unknown,'\r\nAs these ransomware gangs commonly operate out of Russia, President Biden has been in talks with President Putin about\r\nthe attacks and warned that if Russia did not act upon threat actors in their borders, the USA would take action themselves.\r\n\"I made it very clear to him that the United States expects when a ransomware operation is coming from his soil even\r\nthough it's not sponsored by the state, we expect them to act if we give them enough information to act on who that is,\"\r\nBiden said after signing an executive order at the White House.\r\nAt this point, it is not clear if REvil's shut down of servers is for technical reasons, if the gang shut down their operation, or\r\nif a Russian or USA law enforcement operation took place.\r\nOther ransomware groups, such as DarkSide and Babuk, shut down voluntarily due to the increased pressure by law\r\nenforcement.\r\nhttps://www.bleepingcomputer.com/news/security/revil-ransomware-gangs-web-sites-mysteriously-shut-down/\r\nPage 4 of 5\n\nHowever, when ransomware groups shut down, the operators and affiliates commonly rebrand as a new operation to\r\ncontinue performing ransomware attacks. This was seen in the past when GandCrab shut down and many of its members\r\nrelaunching as REvil.\r\nBabuk also relaunched as Babuk v2.0 after the original group splintered due to differences in how attacks were conducted.\r\nThe FBI has declined to comment regarding the shut down of REvil's servers.\r\nThis is a developing story.\r\nUpdate 7/13/21 6:31 PM EST: Added more information about hacking forums.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/revil-ransomware-gangs-web-sites-mysteriously-shut-down/\r\nhttps://www.bleepingcomputer.com/news/security/revil-ransomware-gangs-web-sites-mysteriously-shut-down/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/revil-ransomware-gangs-web-sites-mysteriously-shut-down/"
	],
	"report_names": [
		"revil-ransomware-gangs-web-sites-mysteriously-shut-down"
	],
	"threat_actors": [],
	"ts_created_at": 1775434770,
	"ts_updated_at": 1775826751,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/16129d460107870815c609df745211f15e0765fc.pdf",
		"text": "https://archive.orkl.eu/16129d460107870815c609df745211f15e0765fc.txt",
		"img": "https://archive.orkl.eu/16129d460107870815c609df745211f15e0765fc.jpg"
	}
}