{
	"id": "7bae4bae-f475-468e-a898-53cd348d67e2",
	"created_at": "2026-04-06T00:10:54.34972Z",
	"updated_at": "2026-04-10T13:12:27.621377Z",
	"deleted_at": null,
	"sha1_hash": "16e0b29a00043a81ce95ad7c3e39df8c9db3d775",
	"title": "REvil ransomware shuts down again after Tor sites were hijacked",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1330289,
	"plain_text": "REvil ransomware shuts down again after Tor sites were hijacked\r\nBy Lawrence Abrams\r\nPublished: 2021-10-17 · Archived: 2026-04-05 14:38:45 UTC\r\nThe REvil ransomware operation has likely shut down once again after an unknown person hijacked their Tor payment\r\nportal and data leak blog.\r\nThe Tor sites went offline earlier today, with a threat actor affiliated with the REvil operation posting to the XSS hacking\r\nforum that someone hijacked the gang's domains.\r\nThe thread was first discovered by Recorded Future's Dmitry Smilyanets, and states that an unknown person hijacked the\r\nTor hidden services (onion domains) with the same private keys as REvil's Tor sites and likely has backups of the sites.\r\nhttps://www.bleepingcomputer.com/news/security/revil-ransomware-shuts-down-again-after-tor-sites-were-hijacked/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/revil-ransomware-shuts-down-again-after-tor-sites-were-hijacked/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\n\"But since we have today at 17.10 from 12:00 Moscow time, someone brought up the hidden-services of a landing and a\r\nblog with the same keys as ours, my fears were confirmed. The third party has backups with onion service keys,\" a threat\r\nactor known as '0_neday' posted to the hacking forum.\r\nThe threat actor went on to say that they found no signs of compromise to their servers but will be shutting down the\r\noperation. \r\nThe threat actor then told affiliates to contact him for campaign decryption keys via Tox, likely so affiliates could continue\r\nextorting their victims and provide a decryptor if a ransom is paid.\r\nXSS forum topic about REvil sites being hijacked\r\nTo launch a Tor hidden service (an .onion domain), you need to generate a private and public key pair, which is used to\r\ninitialize the service.\r\nThe private key must be secured and only accessible to trusted admins, as anyone with access to this key could use it to\r\nlaunch the same .onion service on their own server.\r\nAs a third party was able to hijack the domains, it means they too have access to the hidden service's private keys.\r\nThis evening, 0_neday once again posted to the hacking forum topic, but this time saying that their server was compromised\r\nand that whoever did it was targeting the threat actor.\r\nForum post stating the REvil server was compromised\r\nAt this time, it is unknown who compromised their servers.\r\nAs Bitdefender and law enforcement gained access to the master REvil decryption key and released a free decryptor, some\r\nthreat actors believe that the FBI or other law enforcement have had access to the servers since they relaunched.\r\nhttps://www.bleepingcomputer.com/news/security/revil-ransomware-shuts-down-again-after-tor-sites-were-hijacked/\r\nPage 3 of 4\n\nAs no one knows what happened to Unknown, it is also possible that the threat actor is trying to regain control over the\r\noperation.\r\nREvil likely shut down for good\r\nAfter REvil conducted a massive attack on companies through a zero-day vulnerability in the Kaseya MSP platform, the\r\nREvil operation suddenly shut down, and their public-facing representative, Unknown, disappeared.\r\nAfter Unknown did not return, the rest of the REvil operators launched the operation and websites again in September using\r\nbackups.\r\nSince then, the ransomware operation has been struggling to recruit users, going as far as to increase affiliate's commissions\r\nto 90% to entice other threat actors to work with them.\r\nWith this latest mishap, the operation in its current forum will likely be gone for good.\r\nHowever, no good thing lasts forever when it comes to ransomware, and we will likely see them rebrand as a new operation\r\nshortly.\r\nThx to @_TheEmperors_ for the tip!\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/revil-ransomware-shuts-down-again-after-tor-sites-were-hijacked/\r\nhttps://www.bleepingcomputer.com/news/security/revil-ransomware-shuts-down-again-after-tor-sites-were-hijacked/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/revil-ransomware-shuts-down-again-after-tor-sites-were-hijacked/"
	],
	"report_names": [
		"revil-ransomware-shuts-down-again-after-tor-sites-were-hijacked"
	],
	"threat_actors": [],
	"ts_created_at": 1775434254,
	"ts_updated_at": 1775826747,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/16e0b29a00043a81ce95ad7c3e39df8c9db3d775.pdf",
		"text": "https://archive.orkl.eu/16e0b29a00043a81ce95ad7c3e39df8c9db3d775.txt",
		"img": "https://archive.orkl.eu/16e0b29a00043a81ce95ad7c3e39df8c9db3d775.jpg"
	}
}