The notorious REvil ransomware gang is no more after successful disruption efforts from US law enforcement and their international counterparts, according to Reuters.
Last week, the group’s ‘Happy Blog’ – a dark web site where REvil posted stolen data to try and extort its victims – went offline once again and a REvil member with the username ‘0_neday’ posted to a Russian hacking forum saying the REvil server “was compromised”.
“They were looking for me,” ‘0_neday’ said.
“They deleted the path to my hidden service in the torrc file and raised their own so that I would go there.
“Good luck everyone, I’m off.”
Days later, Reuters confirmed that it was law enforcement officials who knocked REvil offline in what the news service described as “a multi-country operation” that was still active.
“The FBI, in conjunction with Cyber Command, the Secret Service and like-minded countries, have truly engaged in significant disruptive actions against these groups,” Tom Keller, a cybercrime advisor to the US Secret Service, told Reuters.
As yet there has been no official statement from authorities – something John Fokker, Head of Cyber Investigations at McAfee, said was worth keeping in mind.
“Currently, the world media is applauding the statement of a single source from the private sector, which hasn’t been confirmed by any government organisation yet," he said.
Fokker suspects older REvil members likely made copies of the gang's infrastructure during some internal conflict he witnessed and thinks they may still have access to Tor private keys used by 0_neday.
"By publishing these Tor private keys, they can essentially take over the REvil tor hidden service and re-route traffic to their back-up systems away from 0_neday's systems," he said.
"There is no intrustion involved in an action like this and it is comparable to a DNS hijack. It would not be surprising if there was 1-1 direct communication between the older REvil team and 0_neday which caused 0_neday to throw the towel into the ring."
REvil’s short-lived return
REvil had only just returned from a hiatus in late September, two months after it went dark following the attack on US company Kaseya.
Kaseya provides software for managed service providers meaning REvil’s supply chain triggered a mass ransomware event that spread to thousands of organisations around the world.
And while it was not directly responsible for the severe Colonial Pipeline attack that shut down fuel supply along the US East Coast earlier this year, some analysis has suggested Darkside, the group responsible for that incident, contained former affiliates of the REvil group.
The nature of ransomware has changed over the years with groups adopting a kind of ransomware-as-a-service business model in which hackers who infect machines with malware are paid a commission by the malware’s maintainers.
As with other businesses, members of ransomware groups move around and form new companies with new techniques as old ones disband – REvil was formed with members from the former GandCrab ransomware group, for example.
"The criminal minds behind this notorious ransomware family are still not arrested and can re-group as they please," Fokker siad.
"This scenario is highly likely given the amount of criminal profits to be made and the slim chances to get caught."
But as the ransomware industry has expanded and their targets have grown, so has the response from law enforcement, such as the FBI’s offensive efforts to take back 63.7 bitcoin Colonial paid its Darkside attackers earlier in the year.
Edgard Capdevielle, CEO Nozomi Networks, said the efforts to destroy REvil’s infrastructure were an example of the US extending its tough physical reputation into space.
“While this is the first real public display of offensive cyber measures, true adversary deterrence is not built on one example of public response,” he said.
“For the US to regain its reputation it will take a consistent approach of zero tolerance around US critical infrastructure and private cyber industry attacks.”
But not everybody is happy with the aggressive US response.
Ransomware group Conti published a statement, shared by VX-Underground, in which it described REvil’s disruption as an example of “the unilateral, extraterritorial, and bandit-mugging behaviour of the United States in world affairs”.
“Is server hacking suddenly legal in the United States or in any of the US jurisdictions?” Conti asked rhetorically and without irony.
“Suppose there is such an outrageous law that allows you to hack servers in a foreign country. How legal is this from the point of view of the country whose servers were attacked?
“Infrastructure is not flying there in space or floating in neutral waters. It is a part of someone's sovereignty.”
Conti knocked out the IT systems of the Irish public healthcare service earlier this year.