A collaborative international law enforcement effort, involving multiple US agencies and unnamed foreign governments, appears to have at least temporarily crippled the notorious REvil ransomware gang. The FBI, U.S. Cyber Command, and the Secret Service reported having control of REvil’s servers, taking the group’s Tor sites and dark web infrastructure off the internet and putting it beyond reach.
REvil has been on a spree of high-profile ransomware attacks over the past two years, involved with the recent attacks on JBS and Apple supplier Quanta among numerous other incidents. While the group’s members remain at large, the loss of essentially all of their central infrastructure will be a heavy blow to overcome.
REvil ransomware gang possibly finished after massive international law enforcement operation
Though a public statement about the operation has yet to be made, several anonymous former US officials and cybersecurity experts told Reuters that US and foreign law enforcement agencies had collaborated to knock the stubborn and disruptive ransomware gang offline.
Last week, the REvil Tor sites disappeared from the web without an explanation. This had happened before in July, with the REvil payment portal and “Happy Blog” vanishing from the dark web after the group was implicated in the Kaseya attack and the Biden administration vowed to crack down on it.
The ransomware gang’s previous disappearance turned out to be a hiatus, presumably to take some of the heat off, as it reappeared and got right back to compromising victims in September. When the group’s Tor sites went down again last week, cybersecurity experts noted that they appeared to have been hijacked and replaced with an older copy of the group’s keys.
Chatter on dark web forums initially centered on a user called “Unknown,” who had previously served as the group’s public-facing spokesperson but did not return with the rest of the ransomware gang when operations started up again in September. The old keys appeared to be ones that only Unknown and the rest of the group would have access to, leading some to believe that the former member was staging an independent takeover or some sort of action against the group.
As it turns out, those keys were in the hands of law enforcement agencies. The FBI had already come into possession of a universal decryption key usable by victims of the Kaseya ransomware, something the agency was taken to task by Congress recently due to withholding it from victims for weeks. Information had been floating around indicating that US law enforcement agencies had penetrated the ransomware gang’s servers over the summer, but the extent of their access was not known until the Tor sites went offline.
Robert Cattanach, partner at the international law firm Dorsey & Whitney, observes that the government agencies used a common ransomware technique against the perpetrators: “Confirming speculation over the cause of the latest demise of notorious cybergang REvil’s website, Reuters reports that a consortium of ‘like-minded countries’ – likely spearheaded by the FBI, Cyber Command, and the Secret Service – took a page from the hacker’s playbook and covertly corrupted backups, which Revil apparently attempted to use to restore its functioning after the FBI took it down earlier. Infecting backups with secret malware is a common strategem used by hackers to deter victims from attempting to restore their systems, and instead pay the ransom rather than going through the time and expense of a clean reboot. But apparently someone at REvil didn’t get their own memo, and attempted to use REvil’s backup files to restore their systems – always a risk if you’ve been hacked, but one which some victims are willing to take to avoid the costly and time-consuming alternative.”
The ransomware gang was apparently compromised as soon as it restarted its servers in September; the federal agencies had been lying in wait. If this is true it does raise several more questions about the methodology, as REvil was allowed to compromise a number of new victims over several weeks before it was taken offline.
Chuck Everette, Director of Cybersecurity Advocacy at Deep Instinct, sees the government’s overall approach as a necessary escalation of involvement given how serious the ransomware threat has become: “We have seen this type of involvement from the U.S. government before. The Colonial pipeline response and disclosure that the bitcoin ransom was paid in the attack had been partially recovered due to the U.S. government involvement. The next example would be the media coverage around the arrest of two ransomware suspects apprehended in Ukraine with the assistance of the U.S. government during a multicounty and law enforcement joint effort to take down these ransomware gang members and to seize financial, physical, and virtual assets … The hope is that the actions the U.S. government has taken against these ransomware criminal gangs will set a precedent for other countries and the gangs themselves that governments will no longer stand by idly and allow these 21st century cyber mafia gangs to operate without impunity.”
With Tor sites taken out, is REvil gone for good?
There is no word about identification or apprehension of the REvil ransomware gang, but the seeming complete compromise of the group’s Tor sites and infrastructure could very well force it out of business for good.
However, that does not mean its members are out of the game. Ransomware gangs routinely disband when the pressure gets too high, take a few months off, and come back fresh with a new name and potentially a new approach. Given that the group is made up of experienced veterans, the REvil crew will likely be back in some new form unless they are found and taken into custody.
Even if it had the means to regroup from this latest blow, REvil looked like it was on shaky legs since it reformed in September. The group was observed having difficulty recruiting new affiliates on dark web forums, most likely given the special attention being paid to it by international law enforcement agencies. The ransomware gang had pushed its affiliate commissions up to an unprecedented 90% just prior to having its Tor sites taken offline.
Whatever may happen with REvil, its previous victims should be prepared for the possibility of internal company information being sold on the dark web. The group may decide to cash in on whatever assets it has left as it closes up shop, and that could include the valuable corporate secrets and personal information of companies that previously paid it a ransom. REvil has no reason to be concerned about ruining their brand, as the members will likely be back under completely new names if they are not apprehended.
Camellia Chan, CEO and co-founder of Flexxon, also sees this as a prompt to prevent future breaches: “For businesses, this should be a wake-up call to bolster defences. When developing a cybersecurity strategy, it’s important to remember that a staggering 95 per cent of data breaches are the result of human error. Anti-virus software alone is not enough – it requires too much input from the individual, like updating the software. Companies should adopt robust firmware as the last line of defence. And, incredible advancements in technology mean it’s now possible to have AI-infused SSD embedded into laptops to protect against every type of attack, from ransomware and malware all the way to physical security. Put simply, if the hacker can get hacked, so can you!”