FBI, others crush REvil using ransomware gang’s favorite tactic against it
Multi-nation operation succeeds as gang member makes critical mistake.
Tim De Chant
Four days ago, the REvil ransomware gang’s leak site, known as the “Happy Blog,” went offline. Cybersecurity experts wondered aloud what might have caused the infamous group to go dark once more.
One theory was that it was an inside job pulled by the group’s disaffected former leader. Another was that law enforcement had successfully hacked and dismantled the group. “Normally, I am pretty dismissive of ‘law enforcement’ conspiracy theories, but given that law enforcement was able to pull the keys from the Kaseya attack, it is a real possibility,” Allan Liska, a ransomware expert, told ZDNet at the time.
“Rebranding happens a lot in ransomware after a shutdown,” he said. “But no one brings old infrastructure that was literally being targeted by every law enforcement operation not named Russia in the world back online. That is just dumb.”
Well, apparently, whoever relaunched REvil wasn’t the brightest bulb. Last night, Reuters reported that several countries working together took down the ransomware gang using one of the criminal organization’s favorite tactics—compromised backups.
Though the FBI isn’t commenting on the matter, private-sector cybersecurity experts and a former US official confirmed the operation, Reuters reports. “The FBI, in conjunction with Cyber Command, the Secret Service, and like-minded countries, have truly engaged in significant disruptive actions against these groups,” Tom Kellermann, VMware’s head of cybersecurity strategy and an adviser to the US Secret Service on cybercrime investigations, told Reuters. “REvil was top of the list.”
“The gloves have come off”
The newfound success against the slippery gang stems in part from the new legal freedom to pursue such criminal operations. US Deputy Attorney General Lisa Monaco recently determined that ransomware attacks on critical infrastructure are a national security threat on par with terrorism. That allowed the Justice Department to bring in assistance from the Pentagon and US intelligence agencies.
“Before, you couldn’t hack into these forums, and the military didn’t want to have anything to do with it,” Kellermann said. “Since then, the gloves have come off.”
REvil was one of the most notorious ransomware gangs in recent years. The group first appeared in 2019, and over the last year, it racked up a laundry list of victims. The first was a celebrity law firm that represented Lady Gaga, U2, and Madonna. The firm refused to pay the $21 million ransom, so REvil published some of Lady Gaga’s documents. Next up was contract manufacturer Quanta Computer. REvil stole confidential data from the company and published details of two Apple products. In May, the group hacked Colonial Pipeline’s operations, causing widespread fuel shortages from New Jersey to Texas. In June, it attacked JBS, a meat processor, shutting down plants in the US, Canada, and Australia.
Finally, in July, REvil hacked software from Keseya, an IT firm. The company’s compromised remote management tools were used by 54 services providers to serve as many as 1,500 organizations. Victims of the attack ranged from grocery stores to hospitals, town halls, and businesses.
In September, a report by The Washington Post revealed that the FBI had hacked REvil’s servers and obtained a universal decryption key but didn’t tell victims for three weeks. At the time, FBI Director Christopher Wray testified before Congress that the delay was strategic. “We make the decisions as a group, not unilaterally,” he said. “These are complex… decisions, designed to create maximum impact, and that takes time in going against adversaries where we have to marshal resources not just around the country but all over the world.”
Withholding the key appears to have paid off. The FBI and its collaborators were able to burrow deep enough into REvil’s operations that law enforcement’s software remained hidden in backups that were recently used by gang member “0_neday” to restore operations. When he spun things up again, he unknowingly granted law enforcement access to some of the systems, Oleg Skulkin, deputy head of the forensics lab at the Russian-led security company Group-IB, told Reuters.
“Ironically, the gang’s own favorite tactic of compromising the backups was turned against them,” Skulkin said.