International Governments Push REvil Ransomware Group Offline

A multi-country operation forced the REvil ransomware group offline, a criminal organization responsible for multiple cyberattacks on US critical infrastructure.

International governments hacked and forced REvil ransomware group offline, according to Reuters. REvil, also known as Sodinokibi, were connected to a May cyberattack on Colonial Pipeline and a July attack on software management company Kaseya.

The group’s “Happy Blog” website, which REvil used to leak data and plot extortion schemes, was abruptly taken down in mid-October.

REvil was responsible for 73 percent of ransomware detections in Q2 2021, according to McAfee. Other major ransomware groups including Hive, Ryuk, and Conti remain at large.

The news comes just a few weeks after President Biden announced that the US would assemble a meeting of over 30 countries to jointly combat and mitigate ransomware threats.

"The FBI, in conjunction with Cyber Command, the Secret Service and like-minded countries, have truly engaged in significant disruptive actions against these groups,” Tom Kellermann, head of cybersecurity strategy at VMWare and an adviser to the US Secret Service on cybercrime investigations told Reuters. “REvil was top of the list.”

Kellerman added that law enforcement had previously prevented the group from deploying attacks on additional companies in recent months.

A REvil leader, identified online as “0_neday,” said that REvil’s servers were hacked by an unnamed party.

"The server was compromised, and they were looking for me," 0_neday wrote on a cybercrime forum, according to Recorded Future. "Good luck, everyone; I'm off."

Threat actors deployed DarkSide ransomware, which was created by REvil, on Colonial Pipeline in May. The attack disrupted thousands of miles of the US fuel supply chain. The group was also connected to a major cyberattack on meat supplier JBS. The group’s attack on Kaseya exposed hundreds of the software company’s customers to security risks.

The FBI obtained a universal decryption key after the Kaseya attack that allowed infected Kaseya customers to recover their files without paying a ransom. However, the FBI later admitted to withholding the key for three weeks as it focused on bringing down REvil’s staff, according to the Washington Post.

The FBI stated that it did not want to tip off the hacking group. However, in mid-July the group went dark and appeared to be gone until its recent re-emergence.

It is common for ransomware groups to abruptly disappear and rebrand under another name in order to detract attention to themselves.

According to Reuters’ sources, law enforcement officials were able to hack into REvil’s computer network infrastructure and obtain control of some servers before the group went offline in July. When it reemerged, the group unknowingly restarted some of the servers that were already controlled by law enforcement.

“The REvil ransomware gang restored the infrastructure from the backups under the assumption that they had not been compromised,” Oleg Skulkin, deputy head of the forensics lab at security company Group-IB, told Reuters. “Ironically, the gang's own favorite tactic of compromising the backups was turned against them.”

As attacks on US critical infrastructure, healthcare, and finance continue to ramp up, governments across the world are funneling resources into cybersecurity risk management and mitigation tactics.

Next Steps

Dig Deeper on Cybersecurity strategies