REvil ransomware gang's web sites mysteriously shut down

REvil ransomware gang's web sites mysteriously shut down


The infrastructure and websites for the REvil ransomware operation have mysteriously gone offline as of last night.


The REvil ransomware operation, aka Sodinokibi, operates through numerous clear web and dark web sites used as ransom negotiation sites, ransomware data leak sites, and backend infrastructure.


Starting last night, the websites and infrastructure used by the REvil ransomware operation have mysteriously shut down.



REvil Tor site no longer accessible

"In simple terms, this error generally means that the onion site is offline or disabled. To know for sure, you'd need to contact the onion site administrator," the Tor Project's Al Smith told BleepingComputer.


While it is not unheard of for REvil sites to lose connectivity for some time, all sites to shut down simultaneously is unusual.


Furthermore, the decoder[.]re clear website is no longer resolvable by DNS queries, possibly indicating the DNS records for the domain have been pulled or that backend DNS infrastructure has been shut down.



REvil domain no longer resolves to DNS queries

Recorded Future's Alan Liska said that the REvil web sites went offline at approximately 1 AM EST this morning.


This afternoon, the LockBit ransomware representative posted to the XSS Russian-speaking hacking forum that it is rumored the REvil gang erased their servers after learning of a government subpoena.


"Upon uncorroborated information, REvil server infrastructure received a government legal request forcing REvil to completely erase server infrastructure and disappear. However, it is not confirmed," the post says in Russian translated to English for BleepingComputer by Advanced Intel's revil ransomware sites mysteriously