REvil ransomware gang taken down in multi-country operation

REvil ransomware gang taken down in multi-country operation

Image:
REvil ransomware gang taken down in multi-country operation

A member of the gang said last weekend that someone had compromised the group's servers

REvil ransomware gang was itself hacked and taken offline this week in a coordinated operation that involved law enforcement agencies from multiple countries.

Three private sector cyber specialists working with the US law enforcement agencies and one former official told Reuters that cyber experts working with intelligence agencies were able to breach REvil's computer network infrastructure and seize control of at least some of their servers.

Tom Kellermann, the head of cybersecurity strategy at VMware and an adviser to the US Secret Service on cybercrime investigations, said that the FBI, in association with the Cyber Command, the Secret Service and agencies in like-minded countries, were engaged in "significant disruptive actions against these groups".

"REvil was top of the list," he added.

Last week, REvil operator "0_neday" wrote on a cybercrime forum that someone had taken control of the group's data leak website and Tor payment portal.

"The server was compromised, and they were looking for me," 0_neday said.

"To be precise, they deleted the path to my hidden service in the torrc file and raised their own so that I would go there. I checked on others -- this was not."

0_neday explained that he and "Unknown" - a leading figure in the gang - were the only two members who had REvil's domain keys. 0_neday noted that the REvil domain had been accessed using the keys of "Unknown".

"Unknown" disappeared in July, leaving the other members of the gang to assume he was dead.

"Good luck, everyone; I'm off," 0_neday said.

Earlier in July, REvil used a zero-day bug in Kaseya's VSA remote management tool to encrypt about 60 managed service providers and over 1,500 of their small- and medium-sized business customers in a massive supply chain strike.

Prior to that, hackers used Darkside encryption software to attack Colonial Pipeline, and officials believe, Darkside code was written by REvil associates.

A few days after attacking Kaseya (in July), REvil disappeared from the internet - abandoning forums, disconnecting its servers, and shutting down its dark web presence. Expects suspected that the Russian government had forced the group to cease operations, to show the world that it was working with the US government.

But in September, many of the dark-web servers belonging to the REvil resurfaced, sparking fears that the group was preparing for new attacks.

According to Reuters, 0_neday and others restored some of the group's websites from a backup in September, but mistakenly restarted some internal systems that were already under the control of law enforcement agencies.

"The REvil ransomware gang restored the infrastructure from the backups under the assumption that they had not been compromised," said Oleg Skulkin, deputy head of the forensics lab at the Russian-led security company Group-IB.

"Ironically, the gang's own favourite tactic of compromising the backups was turned against them."

A spokesperson for the White House National Security Council declined to comment on REvil operation, saying they have undertaken "a whole of government ransomware effort, including disruption of ransomware infrastructure and actors".

The spokesperson added that the government was working with the private firms "to modernise our defences, and building an international coalition to hold countries who harbour ransom actors accountable".