REvil ransomware group reportedly taken offline by multi-nation effort

Law enforcement officials and cyber specialists hacked into REvil’s network, gaining control of some of its servers, sources told Reuters.

20210625-ransomware-karen.jpg

Image: Mackenzie Burke

The infamous REvil ransomware group has reportedly been dealt a severe blow, courtesy of an operation conducted by officials in the US and other countries. Law enforcement and intelligence cyber specialists hacked into REvil’s computer network infrastructure, thereby taking control of at least some of the group’s servers, Reuters said on Thursday, citing information from three private sector cyber experts working with the US, as well as one former official.

SEE: Ransomware: What IT pros need to know (free PDF) (TechRepublic)

More about cybersecurity

“The FBI, in conjunction with Cyber Command, the Secret Service and like-minded countries, have truly engaged in significant disruptive actions against these groups,” VMware head of cybersecurity strategy Tom Kellermann told Reuters.

“REvil was top of the list,” added Kellermann, who also serves as an adviser to the .US. Secret Service on cybercrime investigations.

At this point, REvil’s “Happy Blog” website, through which it leaked stolen data from its victims and happily held it for ransom, is no longer accessible. A so-called “leadership figure” for REvil known as “0_neday,” who helped restart the gang’s operations after it previously shut down, revealed that REvil’s servers had been hacked by an unknown party, Reuters said.

“The server was compromised, and they were looking for me,” 0_neday wrote on a cybercrime forum initially seen by security firm Recorded Future. “Good luck, everyone; I’m off.”

Reuters didn’t indicate specifically which of the other group’s websites and services have been taken down. But the whole situation seems to be a case of REvil getting caught in its own trap.

Following an attack that impacted enterprise IT firm Kaseya and its supply chain this past summer, REvil’s Happy Blog and other online sites went offline with no clear explanation why. Some experts said the group was just laying low. Others said it might have disbanded. Some thought the US government or other official entities might have cut its online cord.

In September, 0_neday and other members of the group restored their websites from a backup. But that action apparently restarted some internal systems that were already under the control of law enforcement as part of an operation to hack into and compromise REvil.

“The REvil ransomware gang restored the infrastructure from the backups under the assumption that they had not been compromised,” Oleg Skulkin, deputy head of the forensics lab at the Russian-led security company Group-IB, told Reuters. “Ironically, the gang’s own favorite tactic of compromising the backups was turned against them.”

SEE: Infographic: The 5 phases of a ransomware attack (TechRepublic)

Though the FBI declined Reuters’ request for comment, one person familiar with the events said that a foreign partner of the US government carried out the hacking operation against REvil. A former US official, who spoke on condition of anonymity, told Reuters that the operation is still active.

Organizations in the US and elsewhere have been shaken by several high-profile ransomware attacks this year. REvil brought undue attention to itself following the Kaseya incident, which impacted more than 1,000 organizations across the supply chain. Another attack against meat processing company JBS Foods further shined a light on REvil. The attack against Colonial Pipeline attributed to Darkside raised concerns about the vulnerability of critical infrastructure.

As a result, the White House and other official government entities have resolved to crack down on ransomware gangs and operations. This effort to take down REvil shows that law enforcement is more than willing to play hard ball to stop these criminal enterprises.

“Hopefully a clear message is being sent that running a ransomware business is not worth the risks any longer,” said Chuck Everette, director of cybersecurity advocacy at Deep Instinct. “With REvil being taken off-line, this can definitely be counted as a benefit for those in the cybersecurity defense area. The one thing to note here is there are plenty of other ransomware criminal gangs ready to step in and take back over the areas vacated by REvil. We can only hope that this government-assisted shutdown will have a negative impact on the operations of the other gangs due to fear of it happening to them as well.”

Also see