Multi-government operation targets REvil ransomware group
REvil has been forced offline by a multi-government hacking operation, marking the second time in 2021 that the group has gone dark
The REvil ransomware group has been taken offline after a coordinated operation by multiple governments, according to four people with knowledge of the action.
REvil, formerly known as Sodinokibi, has been credited with conducting a number of high-profile ransomware attacks, including on meat processing firm JSB, Taiwanese PC manufacturer Acer, and software management company Kaseya, the latter attack affecting hundreds of managed service providers.
On 17 October 2021, REvil’s representative on cyber crime forum XSS confirmed that an unknown third party had accessed parts of the back-end of its website's landing page and blog. The representative’s account has remained silent since the announcement.
The group’s “Happy Blog” website, which had been used to leak victims’ data and to extort companies, is also no longer available.
Those with knowledge of the multi-government operation, including three private sector cyber experts and a former US official, told Reuters that a foreign partner of the US government had carried out the hacking operation that penetrated REvil’s computer architecture.
It is still unclear which governments were involved in the operation, but the former US official added, on condition of anonymity, that it was ongoing.
The syndicate previously dropped offline in mid-July in mysterious circumstances, prompting community speculation that the authorities in Russia, where REvil is likely based, had pressurised the gang to scale back its activities in the wake of Kaseya.
According to the Reuters report, the FBI managed to obtain a universal decryption key following Kaseya, taking control of some of REvil’s servers and allowing those infected via the attack to recover their files without paying a ransom.
The Reuters report added that when REvil member 0_neday and others restored its websites from a backup in September 2021, they unknowingly restarted some internal systems that were already under the control of US law enforcement.
“The server was compromised, and they were looking for me,” 0_neday wrote on a cyber crime forum first spotted by security firm Recorded Future. “Good luck, everyone; I’m off.”
Speaking with Reuters, Tom Kellermann, an adviser to the US Secret Service on cyber crime investigations, said: “The FBI, in conjunction with Cyber Command, the Secret Service and like-minded countries, have truly engaged in significant disruptive actions against these groups. REvil was top of the list.”
Unnamed US government officials also told Reuters that REvil, using DarkSide encryption software, was also behind the May 2021 ransomware attack on Colonial Pipeline, which led to widespread gas shortages in the US.
This is the first time that REvil and DarkSide have been described as the same operation, with previous reporting on their attacks distinguishing them as separate ransomware gangs.
Read more about ransomware attacks
- The devastating ransomware attack on the Irish Health Service Executive (HSE), was the work of the Conti ransomware gang, also known as Wizard Spider, according to reports.
- Almost half of hospitals have experienced an IT shutdown as a result of a cyber attack in the past six months, but just over one in 10 hospital executives see cyber security investment as a high priority.
- As the Covid-19 pandemic enters what may be its most dangerous phase, we explore how healthcare organisations can ward off cyber threats while preserving their ability to deliver critical care.
“This contradicts months-long reporting that a ransomware group named DarkSide was responsible for the attack,” said the Digital Shadows Photon Research Team. “The FBI has declined to comment on these recent revelations, as is typical during ongoing investigations.
“Despite law enforcement operations, it is realistically possible that unscathed REvil affiliates will return as a rebranded ransomware group. This is a familiar tactic employed by cyber criminals who remain intent on continuing ransomware extortion operations.”
It is widely believed that REvil is already a rebrand of a previous ransomware operation, with the actors behind it probably being the same as those behind an old ransomware strain known as GandCrab.
Although at one point some researchers believed REvil was rebranding as DarkSide, which first emerged in August 2020, both continued operating side-by-side for nearly a year until the latter attacked Colonial Pipeline in May.
In the wake of the Colonial Pipeline ransomware incident and other high-profile attacks such as SolarWinds, US president Joe Biden signed a new executive order to harden US cyber security and government networks, with an emphasis on information sharing.
The White House said at the time that IT providers were too often hesitant (or unable) to share information about compromises, often for contractual reasons, but also out of hesitance to embarrass themselves or their customers.
By enacting measures to change this, the administration said it will be able to defend government bodies more effectively and improve the wider cyber security of the US.
In response to the REvil hack, Steve Forbes, government cyber security expert at Nominet, said that despite not always being a very sophisticated attack method, ransomware’s notoriety is down to its real-world impacts.
“A combination of network analysis to identify the tell-tale signs of a ransomware attack, robust backups to aid recovery, and cross-country co-ordinated takedowns will be the key to stemming the flow of successful ransomware attacks in the future,” he said.
“While this is a major win in the battle against ransomware, we cannot rest easy as the organisations behind ransomware have generated significant income – giving them the ability to rebrand and reinvent themselves many times over. We can only hope that these law enforcement measures start to make the risk greater than the reward for cyber criminals.”