SECURITY
SECURITY
SECURITY
REvil ransomware gang was reportedly hacked by law enforcement operation
The second disappearance of the infamous ransomware group REvil earlier this week is being attributed to a multicountry law enforcement operation.
The group, also known as Sodinokibi, first went offline in July at around the same time pressure was put on Russia to act on ransomware gangs operating in the country. It returned in September until once again going offline.
An alleged REvil representative said that an unknown individual accessed parts of the back end of REvil’s website’s landing page and blog, leading the person to conclude that a third party had access to the website backups and Onion service keys.
According to Reuters, that unknown person was the U.S. Federal Bureau of Investigation, U.S. Cyber Command, the Secret Service and governments of other unnamed nations. None of the agencies has confirmed participation in taking down REvil so far.
The report says law enforcement and intelligence cybersecurity specialists hacked REvil’s computer network infrastructure, obtaining control of at least some of its servers. The twist in the story is that the access was gained in July when REvil first announced it was ceasing operations. When the gang restored the group’s network in September, it used backups that had already been compromised by law enforcement.
“The fact of REvil being compromised has been talked about for days in closed CTI groups,” Jake Williams, co-founder and chief technology officer at incident response firm BreachQuest Inc., told SiliconANGLE. “It was known no later than the 17th that core group members behind REvil were almost certainly compromised. By standing up the Tor hidden services, someone demonstrated they had the private keys required to do so. This was effectively the end of REvil.”
Noting a surprise, the Digital Shadows Photon Research Team pointed out that the Reuters report also said REvil was responsible for the Colonial pipeline attack in May 2021, and used the “DarkSide” encryption software that REvil associates developed. “This contradicts months-long reporting that a ransomware group named DarkSide was responsible for the attack,” the research team said.
Moving forward, the Digital Shadows researchers added, “despite law enforcement operations, it’s realistically possible that unscathed REvil affiliates will return as a rebranded ransomware group. This is a familiar tactic employed by cybercriminals who remain intent on continuing ransomware extortion operations.”
Photo: U.S. Air Force
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
