A multi-country operation hacked into the servers of the REvil ransomware group and forced it to shut operations this week. The information comes from three private-sector cybersecurity experts working with the U.S. and one former official, Reuters reported.
According to these sources, law enforcement and cyber intelligence specialists were able to hack REvil’s information infrastructure and obtain control of some of its servers.
The REvil ransomware group
The REvil group was first discovered in June 2018 and is also known as Sodinokibi or Sodin. It ran a ransomware-as-a-service (RaaS) scheme that used affiliates. Hence, affiliates used to subscribe to the group’s tools, execute attacks, and earn a percentage of each successful ransom payment. The developers even develop high-end tools like a dashboard to display the real-time status of the attack.
And the business model seemed to be thriving. REvil claimed that it made over $100 million in profits in a year. The Darkside software, which the U.S. officials say was operated by REvil associates, made $90 million dollars in just nine months.
Further, REvil was among the first hacking groups that indulged in the ‘double extortion’ tactic. It persuaded victims to pay the ransom by releasing a small number of files, before encrypting them and threatening to release more data until the victim meets the ransom demand. Members of the gang are reportedly based in Russia.
Action against REvil
However, the Colonial Pipeline and the Kaseya issues perhaps triggered the government to respond. After all, the attack on Colonial Pipeline caused widespread gas shortages on the U.S. East Coast forcing the government to declare a state of emergency in as many as 17 states. And the attack on Kaseya infected a further 800-1500 firms. The INTERPOL Secretary-General termed it to be a “ransomware pandemic“.
The FBI started the proceedings against ransomware gangs in June when it recovered most of the ransom paid by Colonial Pipeline. Alongside, the U.S. issued guidance to investigate ransomware & terrorist attacks alike, which seems to be a major policy shift.
In India, ransomware attacks hit 74% of companies in 2020.
What exactly happened?
Speaking to Reuters, VMWare’s head of cybersecurity strategy Tom Kellermann said law enforcement and intelligence personnel stopped the REvil group. He said:
“The FBI, in conjunction with Cyber Command, the Secret Service and like-minded countries, have truly engaged in significant disruptive actions against these groups. “REvil was top of the list.”
Kellerman is also an adviser to the U.S. Secret Service on cybercrime investigations.
The FBI was earlier able to obtain a universal decryption key to retrieve files infected in the Kaseya attack. However, it withheld the keys and secretly continued to pursue REvil’s staff. In their pursuit, the agencies on the offensive infected REvil’s infrastructure, including backups. The group and its websites mysteriously vanished in July, but came back a month later.
Oleg Skulkin, Deputy Head of Forensics Lab, Group-IB, revealed:
“The REvil ransomware gang restored the infrastructure from the backups under the assumption that they had not been compromised. Ironically, the gang’s own favorite tactic of compromising the backups was turned against them.”
A spokesperson for the White House National Security Council said, “Broadly speaking, we are undertaking a whole of government ransomware effort, including disruption of ransomware infrastructure and actors, working with the private sector to modernize our defenses, and building an international coalition to hold countries who harbor ransom actors accountable.”
Another person familiar with the issue told the publication that a “foreign partner of the U.S. government carried out the hacking operation that penetrated REvil’s computer architecture”.
A group member, known as “0 neday”, said, “The server was compromised, and they were looking for me.” Good luck, everyone; I’m off.”