A major overseas ransomware group shut down last month after a pair of operations by U.S. Cyber Command and a foreign government targeting the criminals’ servers left its leaders too frightened of identification and arrest to stay in business, according to several U.S. officials familiar with the matter.
The foreign government hacked the servers of REvil this summer, but the Russian-speaking criminal group did not discover it was compromised until Cybercom last month blocked its website by hijacking its traffic, said the officials who spoke on the condition of anonymity because of the matter’s sensitivity.
Cybercom’s action was not a hack or takedown, but it deprived the criminals of the platform they used to extort their victims — businesses, schools and others whose computers they’d locked up with data-encrypting malware and from whom they demanded expensive ransoms to unlock the machines, the officials said.
A “third party,” he wrote — without knowing Cybercom was responsible — had cloned the group’s webpage having obtained the private keys to its server, which is reachable only through Tor, a special browser that routes Internet traffic through a worldwide network of servers to anonymize the user’s identity.
The Washington Post previously reported that REvil’s servers had been hacked in the summer, permitting the FBI to have access. The compromise allowed the FBI, working with the foreign partner, to gain access to the servers and private keys, officials said. The bureau was then able to share that information last month with Cybercom, enabling the hijacking, they said.
Cybercom’s leader, Gen. Paul Nakasone, said at the Aspen Security Forum on Wednesday that while he wouldn’t comment on specific operations, “we bring our best people together . . . the really good thinkers” to brainstorm ways to “get after folks” conducting ransomware attacks and other malign activities. “I’m pleased with the progress we’ve made,” he said, “and we’ve got a lot more to do.”
The group’s departure may be temporary. Ransomware gangs have been known to go underground, regroup and reappear, sometimes under a new name. But the recent development suggests that ransomware crews can be influenced — even temporarily — to cease operations if they fear they will be outed and arrested, analysts say.
“The latest voluntary disappearance of REvil highlights the powerful psychological impact of having these villains believe that they are being hunted and that their identities will be revealed,” said Dmitri Alperovitch, executive chairman of the think tank Silverado Policy Accelerator and a cyber expert. “U.S. and allied governments should proudly acknowledge these cyber operations and make it clear that no ransomware criminal will be safe from the long reach of their militaries and law enforcement agencies.”
In July, after the Kaseya hack, President Biden warned Russian President Vladimir Putin that the United States would take “any necessary action” to defend critical infrastructure. Around the same time, another group member who went by the nickname “unknown”disappeared. Unknown’s vanishing unnerved the group, and without warning it went offline. It is unclear whether Biden’s warning played any role in either.
This content was originally published here.