Four days ago, the REvil ransomware gang’s leak site, known as the “Happy Blog,” went offline. Cybersecurity experts wondered aloud what might have caused the infamous group to go dark once more.
One theory was that it was an inside job pulled by the group’s disaffected former leader. Another was that law enforcement had successfully hacked and dismantled the group. “Normally, I am pretty dismissive of ‘law enforcement’ conspiracy theories, but given that law enforcement was able to pull the keys from the Kaseya attack, it is a real possibility,” Allan Liska, a ransomware expert, told ZDNet at the time.
“Rebranding happens a lot in ransomware after a shutdown,” he said. “But no one brings old infrastructure that was literally being targeted by every law enforcement operation not named Russia in the world back online. That is just dumb.”
Well, apparently, whoever relaunched REvil wasn’t the brightest bulb. Last night, Reuters reported that several countries working together took down the ransomware gang using one of the criminal organization’s favorite tactics—compromised backups.
Though the FBI isn’t commenting on the matter, private-sector cybersecurity experts and a former US official confirmed the operation, Reuters reports. “The FBI, in conjunction with Cyber Command, the Secret Service, and like-minded countries, have truly engaged in significant disruptive actions against these groups,” Tom Kellermann, VMware’s head of cybersecurity strategy and an adviser to the US Secret Service on cybercrime investigations, told Reuters. “REvil was top of the list.”
“The gloves have come off”
The newfound success against the slippery gang stems in part from the new legal freedom to pursue such criminal operations. US Deputy Attorney General Lisa Monaco recently determined that ransomware attacks on critical infrastructure are a national security threat on par with terrorism. That allowed the Justice Department to bring in assistance from the Pentagon and US intelligence agencies.
“Before, you couldn’t hack into these forums, and the military didn’t want to have anything to do with it,” Kellermann said. “Since then, the gloves have come off.”
Finally, in July, REvil hacked software from Keseya, an IT firm. The company’s compromised remote management tools were used by 54 services providers to serve as many as 1,500 organizations. Victims of the attack ranged from grocery stores to hospitals, town halls, and businesses.
Withholding the key appears to have paid off. The FBI and its collaborators were able to burrow deep enough into REvil’s operations that law enforcement’s software remained hidden in backups that were recently used by gang member “0_neday” to restore operations. When he spun things up again, he unknowingly granted law enforcement access to some of the systems, Oleg Skulkin, deputy head of the forensics lab at the Russian-led security company Group-IB, told Reuters.
“Ironically, the gang’s own favorite tactic of compromising the backups was turned against them,” Skulkin said.
This content was originally published here.