A large overseas ransomware group shut down last month after a couple of US Cyber Command and foreign government operations targeting criminals’ servers caused its leaders to be too scared and arrested to stay in business, according to several US officials familiar with this question. …
A foreign government hacked REvil’s servers this summer, but a Russian-speaking criminal group did not discover it had been compromised until Cybercom blocked its website last month by intercepting its traffic, officials said, speaking on condition of anonymity over the issue. sensitivity.
Cybercom’s actions were not hacking or destruction, but they robbed the criminals of the platform they used to extort from their victims – businesses, schools and others whose computers they blocked with encryption malware and from whom they demanded an expensive ransom to unblock … cars, officials said.
Hours after the previously unreported Cybercom operation, one of the REvil executives saw that the site’s traffic had been redirected.
“Domains stolen from REvil,” wrote 0_neday, the leader of REvil, on October 17 in a popular Russian-language forum among cybercriminals.
A “third party,” he wrote, “not knowing that Cybercom was responsible for this, cloned the group’s web page, having obtained the private keys from its server, which is accessible only through Tor, a special browser that directs Internet traffic across the world wide web. servers to anonymize the identity of the user.
As reported by 0_neday on the forum, the first check revealed no signs of compromise.
Then he checked again, and this time what he found scared him.
“The server has been hacked,” he wrote a few hours later, “and they are looking for me.” And then: “Good luck everyone, I’m taking off.”
Shortly thereafter, REvil ceased operations such as recruiting partners, ransom negotiations, and malware distribution.
The Washington Post previously reported that REvil’s servers were hacked in the summer, allowing the FBI to gain access. The compromise allowed the FBI, working with a foreign partner, to gain access to the servers and private keys, officials said. According to them, last month the bureau was able to share this information with Cybercom, which allowed for the takeover.
Cyber Command spokesman Colonel Sunset Belinski said, “From an operational security perspective, we will not comment on cyber intelligence, planning or operations.”
Cybercom leader General Paul Nakasone said at a security forum in Aspen on Wednesday that while he did not comment on specific operations, “we bring our best people together. … … really good thinkers ”to find ways to“ hunt down people ”who conduct ransomware attacks and other malicious activities. “I am pleased with the progress we have made,” he said, “and we still have a lot to do.”
The group’s departure may be temporary. It is known that extortionist gangs go underground, regroup and reappear, sometimes under a new name. But recent events suggest that ransomware teams can be influenced – even temporarily – to stop operations if they fear being exposed and arrested, analysts say.
“The latest voluntary disappearance of REvil underscores the powerful psychological impact of these villains believing that they are being hunted and that their identities will be revealed,” said Dmitry Alperovich, executive chairman of the Silverado Policy Accelerator think tank and cyber expert. “The US governments and their allies must proudly acknowledge these cyber operations and make it clear that no ransomware criminals are immune from the reach of their military and law enforcement agencies.”
Cybercom’s work began after high-profile attacks by REvil. In June, REvil bought out the world’s largest meat processing company, Brazilian company JBS, which temporarily suspended operations at its nine beef processing plants in the United States and caused disruptions at other plants in Canada and Australia.
In July, the group struck another blow, this time targeting Kaseya, a Miami-based IT firm, infecting its software updates with ransomware that has spread to hundreds of businesses. In a post on REvil’s “Happy Blog,” the group initially demanded $ 70 million to provide a decryption key to unlock files from businesses affected by the attack.
REvil disappeared earlier.
In July, following the Kasei hack, President Joe Biden warned Russian President Vladimir Putin that the United States would take “whatever steps are necessary” to protect critical infrastructure. Around the same time, another member of the group, nicknamed “the unknown”, disappeared. The disappearance of the Unknown made the group unnerved, and they shut down without warning. It’s unclear if Biden’s warning played a role in this.
In any event, 0_neday explained in his post last month, “since there was no confirmation of the reason for his disappearance, we resumed our work, believing that he was dead”.
Privately, the REvil members informed their affiliates that the group would be back, according to Recorded Future threat intelligence analyst Dmitry Smilyanets, who is closely monitoring the group’s activities.
“They told people:“ Don’t worry, everything is all right, we’ll be back, ”Smilyanets said. “It was no secret in the community that the REvil brand would be reborn.”
REvil returned in September, picking up where it left off by hiring new “partner” hackers to help him carry out the attacks. His victims included a plastics manufacturer and a low-income legal aid service.
Then she struck Cybercom.
Smilianets said that, in his opinion, “REvil as a brand is ready.”
He predicted that malware developers and hackers would continue to do what they did, but probably under a different name or for a different group. As for 0_neday, Smilianets predicts: “The guy will be back.”
Smilyanets said: “He is so well versed in cybercrime. He won’t go away. He wants his millions of dollars. “