The U.S. government coordinated with other countries and private players to disrupt operations of the REvil/Sodinokibi affiliate for the second time this year. The takedown signifies that ransomware operations are now treated as risks to U.S. national security.
One month after the REvil ransomware gang resumed operations, the malicious group went offline for the second time in four months this year. Going by reports, it looks like the cybercriminal group is done for good this time.
The takedown was confirmed by Recorded Future threat intelligence expert Dmitry SmilyanetsOpens a new window , who posted a screengrab of a discussion that ‘0_neday,’ a REvil operator, was having on cybercriminal forum XSS.Â
RIP 🪦 #REvilOpens a new window pic.twitter.com/LJKnJI9YtWOpens a new window
— ð•¯ð–’ð–Žð–™ð–—ð–ž ð•¾ð–’ð–Žð–‘ð–žð–†ð–“ð–Šð–™ð–˜ (@ddd1ms) October 17, 2021Opens a new window
According to sources who spoke with ReutersOpens a new window , the takedown was a result of a multi-country operation wherein the infrastructure backing REvil activities was hacked and taken offline. This also includes a foreign partner of the U.S. government that penetrated REvil systems.
Tom Kellermann, the head of cybersecurity strategy at VMware and also a U.S. Secret Service advisor for cybercrime investigations, told Reuters, “The FBI, in conjunction with Cyber Command, the Secret Service and like-minded countries, have truly engaged in significant disruptive actions against these groups. REvil was top of the list.â€
REvil is a Russia-based ransomware group that also leases out its strain to affiliates in what is known as the ransomware-as-a-service model. The gang was branded by cybersecurity companies as among the most notorious ransomware operators since it first emerged in April 2019. So much so that REvil, also known as Sodinokibi, caused the most havoc in 2020, and was responsible for almost one in three (29%) ransomware attacks, according to IBMOpens a new window .
By October last year, the cybercriminal affiliate had amassed at least $81 million through malicious activities by targeting around 140 organizations of which 36% paid a ransom. Some of the victims included Jack Daniels’ maker Brown Forman, forex company Travelex, and law firm Grubman Shire Meiselas & Sacks.
Since then, the REvil seemed to have upped its game and was responsible for some of the biggest ransomware attacks of 2021. These include the ransomware attack on:
- Taiwanese and the world’s sixth-largest computer maker Acer
- Apple’s Taiwanese supplier Quanta, and by extension Apple, given the group got their hands on product schematics
- World’s largest processed meat supplier JBS Foods, which caused food supply chain issues
- IT vendor Kaseya which impacted 1,500 organizations globally
- Sol Oriens, a U.S. Department of Energy subcontractor for nuclear weapons consulting
REvil wasn’t directly involved in the ransomware attack against Colonial Pipeline, the largest oil pipeline infrastructure in the U.S. However, its affiliates did develop the DarkSide strain which was used in the attack. In Q2 2021 alone, McAfee Global Threat Intelligence found that 73% of ransomware detectionsOpens a new window were connected to the REvil group. Overall, the gang targeted over 360 organizations in the past year.
As such, the ransomware problem, which REvil managed to get a central role in, was becoming a national security concern and has evidently elicited a strong response from the U.S. government.
See More: Winning the War Against Ransomware: Is Legislation Enough?
The second takedown of REvil occurred only weeks after the FBI came under the scrutiny of U.S. lawmakers, who sought answers to why the federal agency withheld decryption keys from victims of the REvil attack on Kaseya. Earlier in October, the FBI said it was preparing for an offensive against REvil when it obtained the decryptor in July and didn’t want to alert the group.
However, the offensive never materialized because that’s when the group went underground. Since then, all affiliates re-emerged in September except an unknown operator. Speculations are rife that this same unknown operator, who held one of the two domain keys to REvil’s Tor services, was obtained by the FBI.Â
0_neday in their post on XSS also noted, “Since there was no confirmation of the reason for his loss, we resumed work, thinking that he was dead. But since we have today at 17.10 from 12:00 Moscow time, someone brought up the hidden-services of a landing and a bog with the same key as ours, my fears were concerned.â€
🤡 REvil #ransomwareOpens a new window developers share updates on the @xss_isOpens a new window forum pic.twitter.com/4WyAEqDFQWOpens a new window
— ð•¯ð–’ð–Žð–™ð–—ð–ž ð•¾ð–’ð–Žð–‘ð–žð–†ð–“ð–Šð–™ð–˜ (@ddd1ms) October 17, 2021Opens a new window
By resumed work, 0_neday basically means they fired up REvil’s servers which were already compromised by law enforcement. Oleg SkulkinOpens a new window , deputy head of the forensics lab at Security company Group-IB said, “The REvil ransomware gang restored the infrastructure from the backups under the assumption that they had not been compromised.â€
The operation is still underway.Â
A White House National Security Council spokesperson added, “Broadly speaking, we are undertaking a whole of government ransomware effort, including disruption of ransomware infrastructure and actors, working with the private sector to modernize our defenses, and building an international coalition to hold countries who harbor ransom actors accountable.â€
Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!