REvil Hacking Gang Forced Offline In Multi-Country Operation
Law enforcement and intelligence agencies in the US and partner countries hack REvil’s infrastructure and force notorious ransomware gang offline
Notorious hacking gang REvil has been hacked and forced offline by a multi-country operation, security researchers have said.
The gang’s “Happy Blog” website, which it used to leak victims’ data for the purposes of extortion, is currently unavailable.
The Russia-based gang was responsible for a ransomware attack on Colonial Pipeline in May that led to widespread fuel shortages on the US East Coast, as well as the July compromise of Florida-based software management company Kaseya that allowed it to hack hundreds of Kaseya customers around the world.
In April REvil hacked Apple assembler Quanta Computer and stole engineering schematics for unreleased products, including designs for the 2021 MacBook Pro, releasing them to the public after failing to blackmail Quanta or Apple for tens of millions of pounds.
Takedown
The gang also disrupted the systems of meatpacker JBS and many other high-profile targets.
Following the attack on Kaseya, the FBI faced heavy criticism after it revealed that it had obtained a universal decryption key that could have aided those affected by the attack, but chose not to release it as it was preparing an operation against the gang.
REvil’s infrastructure went offline before that operation could go ahead.
VMware head of cybersecurity strategy Tom Kellerman, a cybercrime adviser to the US Secret Service, said law enforcement and intelligence personnel had taken “disruptive” action against REvil and similar gangs.
“The FBI, in conjunction with Cyber Command, the Secret Service and like-minded countries, have truly engaged in significant disruptive actions against these groups,” Kellerman told Reuters. “REvil was top of the list.”
Computer security firm Recorded Future last week reported a series of posts by a REvil operator known as 0_neday, in which the individual said REvil’s servers had been hacked by an unknown party.
Compromised backups
“The server was compromised, and they were looking for me,” 0_neday wrote on hacking forum XSS. “Good luck, everyone; I’m off.”
Websites used by the gang to conduct business went offline in July following the Kaseya hack, and the group’s main spokesman, “Unknown”, vanished from the internet, with other gang members reportedly concluding he had died.
0_neday and others then restored REvil’s systems in September, but unknowingly used backups that had already been compromised by law enforcement, researchers said.
“The REvil ransomware gang restored the infrastructure from the backups under the assumption that they had not been compromised,” said Oleg Skulkin, deputy head of the forensics lab at Russia-basd security company Group-IB.
“Ironically, the gang’s own favorite tactic of compromising the backups was turned against them.”
Allan Liska, a ransomware expert with Recorded Future, told ZDNet that REvil’s relaunch in September had allowed law enforcement authorities to gain ground against the gaing.
“No one brings old infrastructure that was literally being targeted by every law enforcement operation not named Russia in the world back online,” he said. “That is just dumb.”
Multi-country operation
The White House National Security Council said the US was undertaking a “whole of government” effort against ransomware.
“Broadly speaking, we are undertaking a whole of government ransomware effort, including disruption of ransomware infrastructure and actors, working with the private sector to modernise our defenses, and building an international coalition to hold countries who harbour ransom actors accountable,” the council said.
Reuters cited one source as saying that the actual hack of REvil had been carried out by an unnamed foreign partner of the US government, while an unnamed US official said the security operation is still active.
The US began shifting its approach to ransomware earlier this year, with US Deputy Attorney General Lisa Monaco saying ransomware attacks on critical infrastructure should be treated as a national security issue similar to terrorism.
In June Principal Associate Deputy Attorney General John Carlin said the Justice Department was elevating investigations of ransomware attacks to a similar priority.
Intelligence cooperation
That shift gave the Justice Department and other US agencies a legal basis to work with intelligence agencies and the Department of Defence on cybercrime, VMware’s Kellerman said.
“Before, you couldn’t hack into these forums, and the military didn’t want to have anything to do with it. Since then, the gloves have come off,” he said.
Steve Forbes, government cyber-security expert at registrar Nominet, said it was “hard to overstate” the significance of the takedown of REvil.
But he said the income from such gangs’ disruptive operations gives them the ability to reinvent themselves many times over
“We can only hope that these law enforcement measures start to make the risk greater than the reward for cyber criminals,” Forbes told Silicon UK.