By Joseph Menn and Christopher Bing
(Reuters) – The ransomware group REvil itself was hacked by a cross-border operation and forced offline this week, according to three private sector cyber experts working with the US and a former official.
The Russian-led criminal gang was responsible for a cyber attack on the Colonial Pipeline in May that resulted in widespread gas shortages on the US east coast. REvil’s Happy Blog, which exposed victim data and blackmailed companies, is no longer available.
Officials said the colonial attack used encryption software called DarkSide, which was developed by REvil staff.
Tom Kellerman, VMWare’s head of cybersecurity strategy, said law enforcement and intelligence officials had deterred the group from harassing other companies.
“The FBI, in partnership with Cyber Command, the Secret Service, and like-minded countries, has taken really significant disruptive action against these groups,” said Kellerman, a cybercrime investigative advisor to US intelligence. “REvil was at the top of the list.”
A leader named “0_neday” who helped resume operations after an earlier shutdown said REvil’s servers were hacked by an unnamed party.
“The server was compromised and they were looking for me,” wrote 0_neday last weekend in a forum about cybercrime and was first discovered by the security company Recorded Future. “Good luck everyone; I’m gone.”
The US government’s attempts to stop REvil, one of the worst of the dozen ransomware gangs that work with hackers to break into and cripple companies around the world, accelerated after the group hired the US software management company in July Kaseya had compromised.
This breach opened access to hundreds of Kaseya’s customers at once, resulting in numerous emergency calls to respond to cyber incidents.
After the attack on Kaseya, the FBI received a universal decryption key that anyone infected through Kaseya could use to restore their files without paying a ransom.
But law enforcement initially withheld the key for weeks while quietly pursuing REvil’s staff, the FBI later admitted.
According to three people familiar with the matter, law enforcement and secret service cyber specialists were able to hack REvil’s computer network infrastructure and gain control of at least some of their servers.
The group’s main spokesperson, who calls himself “Unknown,” disappeared from the Internet after websites the hacking group did business with went offline in July.
When gang member 0_neday and others restored these websites from a backup last month, he unknowingly rebooted some internal systems that were already being controlled by law enforcement agencies.
“The ransomware gang REvil restored the infrastructure from the backups on the assumption that it had not been compromised,” said Oleg Skulkin, deputy head of the forensics laboratory at the Russian-run security company Group-IB. “Ironically, the gang’s favorite tactic of compromising backups was turned against them.”
Reliable backups are one of the most important defenses against ransomware attacks, but they must remain separate from the main networks or can also be encrypted by blackmailers like REvil.
A White House National Security Council spokesman declined to comment specifically on the operation.
“By and large, we are engaged in a variety of government ransomware efforts, including disrupting ransomware infrastructure and actors, working with the private sector to modernize our defenses, and forming an international coalition to hold countries accountable pull that harbor ransom actors, “said the person.
The FBI declined to comment.
A person familiar with the events said a foreign US government partner carried out the hacking operation that broke into REvil’s computer architecture. A former US official, who spoke on condition of anonymity, said the operation was still active.
The success stems from the decision by US Assistant Attorney General Lisa Monaco that ransomware attacks on critical infrastructure should be treated as a terrorism-like national security issue, Kellerman said.
In June, Assistant Attorney General John Carlin told Reuters that the Department of Justice is prioritizing investigations into ransomware attacks.
Such actions gave the Justice Department and other agencies a legal basis to get help from U.S. intelligence and the Department of Defense, Kellerman said.
“In the past you couldn’t hack into these forums and the military didn’t want anything to do with them. Since then the gloves have been taken off. “
(Reporting by Joseph Menn and Christopher Bing; Editing by Chris Sanders and Grant McCool)
#Exclusive #Governments #turning #tables #ransomware #gang #REvil #pushing #offline #Sources