Reuters reports that the recent shutdown of the REvil hack group is the work of law enforcement, which compromised the hackers’ infrastructure.
Let me remind you that earlier this week the operations of the ransomware REvil were again suspended, as an unknown person hacked the group’s website, through which hackers accepted payments from victims and “leaked” data stolen from companies. A REvil spokesman known as 0_neday posted a message on the XSS hacker forum that someone had hijacked the attacker’s domains.
It was also reported that an unknown person hijacked hackers’ onion domains using the same private keys as the REvil sites. At the same time, the unknown person seemed to have access to the backup copies of the hack group’s websites, and 0_neday stated that the grouping server was compromised, and the unknown attacker was targeting REvil.
Now, Reuters’ own sources (three cybersecurity experts from the private sector and a former official) say that the group’s infrastructure was turned off as a result of a law enforcement operation carried out in several countries around the world. In particular, a person familiar with the events told the news agency that a foreign partner of the US government had carried out a hacking operation to infiltrate REvil’s infrastructure. A former US official who spoke to reporters on condition of anonymity said the operation is still ongoing.
“The ransomware group REvil has restored its infrastructure from backups, assuming they were not compromised,” explains Oleg Skulkin from Group-IB. “Ironically, the group’s favourite tactic – compromising backups – was used against them.”
The head of the cybersecurity strategy at VMWare, Tom Kellerman, who is also a cybercrime advisor to the US Secret Service, told the media the following:
“The FBI, along with Cyber Command, the Secret Service and like-minded countries, has indeed taken serious subversive action against this group.”
Many believe that this time REvil has ceased its work completely. The fact is that recently the ransomware has already “disappeared from the radar” after scandalous attacks on the customers of the well-known MSP solution provider Kaseya and the JBS company, which is the world’s largest supplier of beef and poultry, as well as the second-largest pork producer.
Although REvil eventually returned a few months later, some cybercriminals and information security experts believed that the FBI or other law enforcement agencies had gained access to the group’s servers and controlled them since the restart. After all, while REvil was inactive, Kaseya somehow obtained a universal key to decrypt its customers’ data. Then, many believed that Russian law enforcement officers received the decryption key from the attackers themselves and handed it over to the FBI as a gesture of goodwill.
In addition, in the past, a member of the group known as Unknown or UNKN has posted advertisements or the latest news about REvil operations on hacker forums. After restarting the operations of the ransomware, he disappeared, and the hackers themselves wrote that Unknown was probably arrested. What happened to him is still not known for certain.
Catch up on more stories here
Follow us on Facebook here