The REvil ransomware group was hacked and forced to go offline this week for a multi-country operation, according to three private sector cyber experts working with the United States and a former official.
Former partners and associates of the Russian-led criminal gang were responsible for a cyberattack in May on the Colonial Pipeline that caused widespread gas shortages on the east coast of the United States.
The direct victims of REvil include top meat packer JBS.
The criminal group’s “Happy Blog” website, which had been used to filter victim data and extort money from companies, is no longer available.
Officials said the colonial attack used encryption software called DarkSide, which was developed by REvil associates.
VMWare’s head of cybersecurity strategy Tom Kellermann said law enforcement and intelligence personnel prevented the group from victimizing other companies.
“The FBI, along with Cyber Command, the Secret Service and like-minded countries, have really engaged in significant disruptive actions against these groups,” said Kellermann, adviser to the United States Secret Service on cybercrime investigations.
“REvil was at the top of the list.”
A leadership figure known as “0_neday,” who helped restart the group’s operations after a previous shutdown, said that REvil’s servers had been hacked by an anonymous party.
“The server was compromised and they were looking for me,” 0_neday wrote on a cybercrime forum last weekend and was first discovered by security firm Recorded Future.
“Good luck everyone; I’m going.”
Attempts by the US government to stop REvil, one of the worst of dozens of ransomware gangs working with hackers to penetrate and cripple companies around the world, accelerated after the group compromised the company. American software management company Kaseya in July.
That breach opened access to hundreds of Kaseya clients at a time, prompting numerous response calls to emergency cyber incidents.
Following the attack on Kaseya, the FBI obtained a universal decryption key that allowed those infected through Kaseya to retrieve their files without paying a ransom.
But law enforcement officials initially held the key for weeks as it quietly pursued REvil staff, the FBI later acknowledged.
According to three people familiar with the matter, cyber intelligence and law enforcement specialists were able to hack into REvil’s computer network infrastructure, gaining control of at least some of its servers.
After the websites that the hacking group used to conduct business went offline in July, the group’s main spokesperson, calling himself “Unknown,” disappeared from the Internet.
When gang member 0_neday and others restored those websites from backup last month, he unknowingly rebooted some internal systems that were already controlled by the police.
“The REvil ransomware gang restored the infrastructure from the backups under the assumption that they had not been compromised,” said Oleg Skulkin, deputy head of the forensic laboratory at the Russian-led security company Group-IB.
“Ironically, the gang itself favorite The tactic of compromising backups turned against him. “
Trusted backups are one of the most important defenses against ransomware attacks, but they must be kept disconnected from mainstream networks or they can also be encrypted by extortionists like REvil.
A spokesman for the White House National Security Council declined to comment specifically on the operation.
“Broadly speaking, we are undergoing an entire government ransomware effort, including disrupting infrastructure and ransomware actors, working with the private sector to modernize our defensesand building an international coalition to hold the countries that host rescue actors accountable, “the person said.
The FBI declined to comment.
A person familiar with the events said that a foreign partner of the US government carried out the hacking operation that penetrated REvil’s IT architecture. A former US official, who spoke on condition of anonymity, said the operation is still active.
The success stems from the determination of US Deputy Attorney General Lisa Monaco that ransomware attacks on critical infrastructure should be treated as a national security problem akin to terrorism, Kellermann said.
In June, Chief Deputy Attorney General John Carlin told Reuters that the Justice Department was elevating investigations of ransomware attacks to a similar priority.
Such actions gave the Department of Justice and other agencies a legal basis for obtaining help from US intelligence agencies and the Department of Defense, Kellermann said.
“Before, you couldn’t hack into these forums, and the military wanted nothing to do with it. Since then, the gloves have been off.”