On October 21, The ransomware group REvil was itself hacked and forced offline this week by a multi-country operation, according to three private-sector cyber experts working with the United States and one former official.
Former partners and the associates of the Russian-led criminal gang were responsible for a May cyberattack on the Colonial Pipeline that led to widespread gas shortage on the U.S. East Coast. REvil’s direct victims include top meatpackerJBS (JBSS3.SA). The crime group’s “Happy Blog” website, which had been used to leak victim data and extort companies, is no longer available.
The development, first spotted by Recorded Future’s Dmitry Smilyanets, comes after a member affiliated with the REvil operation posted on the XSS hacking forum that unidentified actors had taken control of the gang’s Tor payment portal and data leak website.
The server was compromised and they were looking for me. To be precise, they deleted the path to my hidden service in the torrc file and raised their own so that I would go there. I checked on others- this was not. Good luck everyone, I’m off, user 0_neday said in the post.
The Russia-linked ransomware group attracted major scrutiny following its attacks on JBS and Kaseya earlier this year, prompting it to take its darknet sites offline in July 2021. But on September 9, 2021, REvil made an unexpected return, resurfacing both its data leak site as well as payment and negotiation portals back online.
Last month The U.S. Federal Bureau of Investigation(FBI) held back from sharing the decryptor with the victims of the Kaseya ransomware attack for nearly three weeks, which is obtained from accessing the group’s servers, as a part of a plan to disrupt the gang’s malicious activities. “The planned takedown never occurred because in the mid-July REvil’s platform went offline- without U.S. Government intervention- and the hackers disappeared before the FBI had a chance to execute its plan.”
Officials said that the colonial attack used encryption software called Dark Side, which was developed by REvil associates.
VMWare(VMW.N) head of cybersecurity strategy Tom Kellermann said law enforcement and intelligence personnel stopped the group from victimizing additional companies.
“The FBI, in conjunction with the Cyber Command, the Secret Service, and like-minded countries, has truly engaged in significant disruptive actions against these groups,” said Kellermann, an adviser to the U.S. Secret service on Cybercrime investigations.”REvil was top of the list.”
A universal decryptor was eventually shared by Romanian cybersecurity firm Bitdefender in late July after acquiring the digital key from a “law enforcement partner”
While its not uncommon for ransomware groups to evolve, splinter, or reorganize under new names, the criminal field has increasingly come under the lens for striking critical infrastructure, even as more cyber-criminals are recognizing the profitability of ransomware, in part bolstered by the unregulated cryptocurrency landscape, thus enabling threat actors to extort victims for digital payments with impunity.