REvil group taken down by the Feds

CyberSecurity
3 min readOct 23, 2021

--

On Oct 21 (Reuters) said — The ransomware group REvil was itself hacked and forced offline this week by a multi-country operation, And also according to three private sector cyber experts working with the United States and one former official.

The government has successfully hacked the hacking group REvil, the entity behind the ransomware that’s been linked to leaked Apple leaks, attacks on enterprise software vendors, and more, according to a report from Reuters. The outlet’s sources tell it that the FBI, Secret Service, Cyber Command, and organizations from other countries have worked together to take the group’s operations offline this month. The group’s dark web blog, which exposed information gleaned from its targets, is also reportedly offline.

Former partners and associates of the Russian-led criminal gang were responsible for a May cyberattack on the Colonial Pipeline that led to widespread gas shortages on the U.S. East Coast. REvil’s direct victims include top meatpacker JBS (JBSS3.SA). The crime group’s “Happy Blog” website, which had been used to leak victim data and extort companies, is no longer available.

Officials said the Colonial attack used encryption software called DarkSide, which was developed by REvil associates. VMWare (VMW.N) head of cybersecurity strategy Tom Kellermann said law enforcement and intelligence personnel stopped the group from victimizing additional companies.
Reports about the group going offline started surfacing earlier this week, with TechCrunch writing that its Tor website was no longer available on Monday. There was speculation of a hack, fueled by a forum post from one of the group’s suspected leaders saying that its server was “compromised,” but at the time, it was unclear who was responsible. Reuters cites sources that say the government’s operation against ransomware hackers, including REvil, is still ongoing. THE US HAS BEEN TURNING THE SCREWS ON RANSOMWARE GROUPS The US is slowly turning the screws on groups associated with ransomware, as the attacks become more and more costly for companies (one company reportedly paid a $40 million ransom to restore its operations). The Treasury pushed sanctions that make it harder to turn hacked machines into cash, and the Department of Justice created a team for investigating crimes committed by cryptocurrency exchanges, citing the impact of ransomware several times in its announcement.

“The FBI, in conjunction with Cyber Command, the Secret Service and like-minded countries, have truly engaged in significant disruptive actions against these groups,” said Kellermann, an adviser to the U.S. Secret Service on cybercrime investigations. “REvil was top of the list. A leadership figure known as “0_neday,” who had helped restart the group’s operations after an earlier shutdown, said REvil’s servers had been hacked by an unnamed party. “The server was compromised, and they were looking for me,” 0_neday wrote on a cybercrime forum last weekend and first spotted by security firm Recorded Future. “Good luck, everyone; I’m off.” U.S. government attempts to stop REvil, one of the worst of dozens of ransomware gangs that work with hackers to penetrate and paralyze companies around the world, accelerated after the group compromised U.S. software management company Kaseya in July.That breach opened access to hundreds of Kaseya’s customers all at once, leading to numerous emergency cyber incident response calls.

There is also a possibility that the group could come back, though trying to recover from going down in July is reportedly what opened it up to attacks from the US in the first place. and what According to Reuters’ sources, one of the group’s members restored a backup and unwittingly included systems compromised by law enforcement. A Russian security expert tells Reuters that infecting backups is a tactic commonly used by REvil itself.

--

--

CyberSecurity

CyberSecurity | penetration testing | Cybersecurity research | Cyber awareness