Life, it seems, is not without its ironies. Months after its cyberattack on the Colonia pipeline (with its DarkSide encryption software) resulted in a shortage of gas along the US East Coast, the ransomware group REvil got a taste of its own medicine after it was hacked and forced offline by an operation that included the participation of several countries.
REvil’s “Happy Blog” website, which leaked data of its victims to extort and blackmail companies, is no longer available.
“The FBI, in conjunction with Cyber Command, the Secret Service, and like-minded countries, has truly engaged in significant disruptive actions against these groups,” said WMWare head of cybersecurity strategy Tom Kellermann. “REvil was top of the list.”
How did REVil, which presented itself to be a major ransomware gang known to extort companies and coordinate cyberattacks, get taken down? Oleg Skulkin, Deputy head of the forensics lab at the Russian-led security company Group-IB, answered that question, “Ironically, the gang’s own favorite tactic of compromising the backups was turned against them.”
Let us delve a bit deeper. Following REvil’s attack on US software management company Kaseya this July, the FBI had obtained a universal decryption key that let the victims of the attack recover their files without paying a ransom.
When gang member 0_neday and others restored the websites from a backup in September, he unknowingly restarted some internal systems that were already controlled by law enforcement, assuming that they had not been compromised. This led to the hacking of REvil’s computer network infrastructure by law enforcement and intelligence cyber specialists, who obtained control of at least some of their servers.
“Broadly speaking, we are undertaking a whole of government ransomware effort, including disruption of ransomware infrastructure and actors, working with the private sector to modernize our defenses, and building an international coalition to hold countries who harbor ransom actors accountable,” a spokesperson for the White House National Security Council said.