Multiple governments coordinated to take the ransomware group REvil offline months after its system-locking malware was used in crippling cyberattacks against meat supplier JBS Food and IT vendor Kaseya, according to reports.
The Russian-speaking criminal gang creates and sells ransomware software to affiliate cybercriminals and takes a cut of the earnings they make from ransom payments.
Four people in the US with direct knowledge of the multi-government operation told Reuters that law enforcement moved to prevent REvil from causing further harm.
REvil’s “Happy Blog” website, which the group used to publish stolen victim data to extort ransom payments, is no longer accessible.
Such offensive hacking operations by law enforcement are rare because the targets are often located in multiple jurisdictions. A foreign partner of the US government conducted the hacking operation that compromised REvil’s systems, one of the sources told Reuters.
Offensive hacking operations can also be incredibly effective, as shown by a Europol-led operation to take down prolific banking trojan EMOTET. In the wake of high-profile ransomware incidents, including against Colonial Pipeline, the Biden Administration has promised to take a tougher stance on the cybercriminals perpetrating the attacks by treating them as national security issues.
“The FBI, in conjunction with Cyber Command, the Secret Service and like-minded countries, have truly engaged in significant disruptive actions against these groups,” Tom Kellermann, an adviser to the US Secret Service on cybercrime investigations and head of cybersecurity strategy at VMWare told Reuters. “REvil was top of the list.”
Recorded Future researcher Dimitry Smilyanets was the first to discover that REvil had been hacked. On 17 October he shared a cybercrime forum screenshot from a REvil leadership figure known as “0 neday” which read: “The server was compromised, and they were looking for me. Good luck, everyone; I’m off.”
— 𝕯𝖒𝖎𝖙𝖗𝖞 𝕾𝖒𝖎𝖑𝖞𝖆𝖓𝖊𝖙𝖘 (@ddd1ms) October 17, 2021
It is the second time REvil’s online presence and infrastructure have disappeared, with intelligence agencies reportedly hacking some of its servers back in July following its attack against Kaseya.
That attack led to the compromise of organisations who used Kaseya’s maintenance software, including schools and local supermarkets. 0 neday brought REvil’s operation back online but with his apparent disappearance, REvil’s future remains uncertain – although there are dozens of other ransomware groups waiting in the wings.
For more information on ransomware and what to do in the event of an attack, read our explainer here.