Government-led 'hunt' behind REvil's second shutdown
In an ironic twist, REvil was hacked using the cartels' favourite tactic - compromising backups.
The infamous REvil ransomware group, responsible for extortion attacks against meat supplier JBS and software company Kaseya, announced it was going offline for a second time last Sunday.
"The server was compromised, and they were looking for me. [...] they deleted the path to my hidden service in the torrc file and raised their own so that I would go there. I checked on others – this was not. Good luck, everyone, I'm off," gangs member '0_neday' wrote on a Russian hacking website XSS.
According to reports by Reuters, the sudden shutdown was caused by a multi-country operation.
"Ironically, the gang's own favorite tactic of compromising the backups was turned against them"-Oleg Skulkin
VMWare head of cybersecurity strategy Tom Kellermann said law enforcement and intelligence personnel stopped the group from victimizing additional companies.
"The FBI, in conjunction with Cyber Command, the Secret Service, and like-minded countries, have truly engaged in significant disruptive actions against these groups. REvil was top of the list," said Kellermann, an adviser to the US Secret Service on cybercrime investigations.
Since cartel targeted critical infrastructure in the US, the threat became a national security matter.
In practice, that meant that the US Justice Department was given a legal basis to join forces with the country's intelligence agencies and the Department of Defense.
According to cybersecurity experts, law enforcement and intelligence cyber specialists were able to hack REvil's computer network infrastructure, obtaining control of at least some of their servers.
After the first REvil shut down in July, groups spokesperson 'Unknown' dropped off the internet and was considered dead other gang members.
However, the remaining members restored gangs' websites from a backup, unknowingly restarting some internal systems already controlled by law enforcement.
"Ironically, the gang's own favorite tactic of compromising the backups was turned against them," Oleg Skulkin, deputy head of the forensics lab at the Russian-led security company Group-IB told Reuters.
White House National Security Council declined to comment on the operation specifically but said that the US is building an 'international coalition' to combat ransomware.
One person familiar with the events said that a foreign partner of the US government carried out the hacking operation that penetrated REvil's computer architecture. A former US official, who spoke on condition of anonymity, said the operation is still active.
Cyberattacks are increasing in scale, sophistication, and scope. In 2020, ransomware payments reached over $400 million, more than four times the level of 2019. This year will likely set another record benchmark for ransomware cartels globally.
The last 12 months were ripe with major high-profile cyberattacks on network management companies such as SolarWinds, the Colonial Pipeline's oil network, meat processing company JBS, and software firm Kaseya. Pundits talk of a ransomware gold rush, with the number of attacks increasing over 90% in the first half of 2021 alone.
Recently, a Russia-linked cyber cartel attacked a major US farm service provider New Cooperative Inc., demanding $5.9 million in ransom.
Meanwhile, ransomware recently dubbed Ranion offered an entirely different payment structure. The group only asks for an upfront payment for its malware without additional service fees.
A recent IBM report shows that an average data breach costs victims $4.24 million per incident, the highest in the 17 years. For example, the average cost stood at $3.86 million per incident last year, putting recent results at a 10% increase.
More from CyberNews
Subscribe to our newsletter