REvil Ransomware Gang Hacked And Taken Down In Multi-Country Operation

The infamous ransomware organisation REvil’s second disappearance earlier this week has been described as an effort of multi-country law enforcement investigation.

The organisation, also known as Sodinokibi, originally went offline in July, around the same time that Russia was under pressure to crack down on ransomware gangs operating in the nation. It resurfaced in September before falling offline once more.

According to three private-sector cyber specialists working with the US and one former official, the ransomware gang REvil was attacked and taken offline this week by a multi-country operation.

Former Russian-led criminal gang partners and allies were responsible for a May hack on the Colonial Pipeline, which caused major gas shortages on the US East Coast. JBS, a leading meatpacker, is one of REvil’s primary victims.

The crime syndicate’s “Happy Blog” website, which was designed to leak victim data and extort businesses, is no longer accessible.

According to officials, the Colonial assault made use of encryption software called DarkSide, which was created by REvil associates.

VMWare’s head of cybersecurity strategy, Tom Kellermann, stated that the gang was stopped from targeting further firms by law enforcement and intelligence officials.

“The FBI, in collaboration with Cyber Command, the Secret Service, and like-minded countries, has genuinely engaged in major disruptive operations against these groups,” said Kellermann, a cybercrime advisor to the US Secret Service. “REvil was at the very top of the list.”

An unknown party hacked REvil’s servers, according to a senior member known as “0_neday,” who helped resume the group’s activities following an earlier halt.

The US government’s efforts to halt REvil, one of the worst of dozens of ransomware gangs that collaborate with hackers to enter and paralyse firms around the world, intensified when the group compromised the US software management company Kaseya in July.

This compromise provided access to hundreds of Kaseya customers at once, resulting in multiple emergency cyber incident response calls.

Following the Kaseya assault, the FBI got a universal decryption key, allowing individuals affected by Kaseya to recover their files without having to pay a ransom.

However, law enforcement officers first kept the key for weeks while discreetly pursuing REvil’s personnel, as the FBI subsequently admitted.

According to three persons acquainted with the situation, police enforcement and intelligence cyber specialists were able to break into REvil’s computer network architecture and take control of at least part of its servers.

After the hacking organization’s commercial websites went offline in July, the chief spokesman for the gang, who goes by the moniker “Unknown,” vanished from the internet.

Last month, when gang member 0_neday and others restored those websites from a backup, he unintentionally reactivated certain internal systems that were already under the authority of police enforcement.

“The REvil ransomware gang restored the infrastructure from backups on the belief that they had not been hacked,” said Oleg Skulkin, deputy director of the forensics lab at Group-IB, a Russian-led security firm. “Ironically, the gang’s preferred method of compromising the backups backfired on them.”

Backups are one of the most essential lines of defence against ransomware attacks, but they must be kept disconnected from the main networks or they may be encrypted by extortionists like REvil.

Follow The420.in on

 Telegram | Facebook | Twitter | LinkedIn | Instagram | YouTube