EXCLUSIVE Governments turn tables on ransomware gang REvil by pushing it offline

Oct 21 (Reuters) – Ransomware group REvil was self-hacked and forced offline by a cross-border operation this week, according to three private sector cyber experts working with the United States and a former official.

Former partners and employees of the Russian-led criminal gang were responsible for a cyberattack on the Colonial Pipeline in May that resulted in widespread gas shortages on the US east coast. One of the direct victims of REvil is the top meatpacker JBS (JBSS3.SA). The crime group’s “Happy Blog” website, which was used to leak victim data and blackmail companies, is no longer available.

Officials said the colonial attack used encryption software called DarkSide, which was developed by REvil staff.

Tom Kellermann, head of VMWare’s cybersecurity strategy (VMW.N), said law enforcement and intelligence officials prevented the group from harassing other companies.

“The FBI, in partnership with Cyber ​​Command, the Secret Service, and like-minded countries, has taken really significant disruptive actions against these groups,” Kellermann, an advisor to US intelligence on cybercrime investigations, told The List. “

A leader named “0_neday” who helped restart the group after an earlier shutdown said REvil’s servers were hacked by an unnamed party.

“The server was compromised and they were looking for me,” wrote 0_neday last weekend in a forum about cybercrime and was first discovered by the security company Recorded Future. “Good luck everyone; I’m gone.”

The US government’s attempts to stop REvil, one of the worst of the dozen ransomware gangs that work with hackers to break into and cripple companies around the world, accelerated after the group hired the US software management company in July Kaseya had compromised.

This breach opened access to hundreds of Kaseya’s customers at once, resulting in numerous emergency calls to respond to cyber incidents.

DECRYPTION KEY

After the attack on Kaseya, the FBI received a universal decryption key that anyone infected through Kaseya could use to restore their files without paying a ransom.

But law enforcement initially withheld the key for weeks while quietly tracking REvil’s staff, the FBI later admitted.

According to three people familiar with the matter, cyber specialists from law enforcement and intelligence agencies were able to hack REvil’s computer network infrastructure and gain control of at least some of its servers.

The group’s main spokesperson, who calls himself “Unknown,” disappeared from the Internet after websites the hacking group did business with went offline in July.

When gang member 0_neday and others restored these websites from a backup last month, he unknowingly rebooted some internal systems that were already being controlled by law enforcement agencies.

“The ransomware gang REvil restored the infrastructure from the backups on the assumption that it had not been compromised,” said Oleg Skulkin, deputy head of the forensics laboratory at the Russian-run security company Group-IB. “Ironically, the gang’s own favorite tactic of compromising backups was turned against them.”

Reliable backups are one of the most important defenses against ransomware attacks, but they must remain separate from the main networks or can also be encrypted by blackmailers like REvil.

A White House National Security Council spokesman declined to comment specifically on the operation.

“By and large, we are engaged in a number of government ransomware efforts, including disrupting ransomware infrastructure and actors, working with the private sector to modernize our defenses, and forming an international coalition to hold countries accountable pull that harbor ransom actors, “said the person.

The FBI declined to comment.

A person familiar with the events said a foreign US government partner carried out the hacking operation that broke into REvil’s computer architecture. A former US official, who spoke on condition of anonymity, said the operation was still active.

The success stems from the determination of the US Assistant Attorney General Lisa Monaco that ransomware attacks on critical infrastructure should be treated as a national security problem similar to terrorism, said Kellermann.

In June, Assistant Attorney General John Carlin told Reuters that the Department of Justice is prioritizing investigations into ransomware attacks.

Such actions would have given the Justice Department and other agencies a legal basis to get help from US intelligence and the Department of Defense, Kellermann said.

“In the past you couldn’t hack your way into these forums, and the military didn’t want anything to do with it. Gloves have been off since then.”

Reporting by Joseph Menn and Christopher Bing; Editing by Chris Sanders and Grant McCool

Our Standards: The Thomson Reuters Trust Principles.