The second disappearance of the infamous ransomware group REvil earlier this week is being attributed to a multicountry law enforcement operation.

The group, also known as Sodinokibi, first went offline in July at around the same time pressure was put on Russia to act on ransomware gangs operating in the country. It returned in September until once again going offline.

An alleged REvil representative said that an unknown individual accessed parts of the back end of REvil’s website’s landing page and blog, leading the person to conclude that a third party had access to the website backups and Onion service keys.

According to Reuters, that unknown person was the U.S. Federal Bureau of Investigation, U.S. Cyber Command, the Secret Service and governments of other unnamed nations. None of the agencies has confirmed participation in taking down REvil so far.

The report says law enforcement and intelligence cybersecurity specialists hacked REvil’s computer network infrastructure, obtaining control of at least some of its servers. The twist in the story is that the access was gained in July when REvil first announced it was ceasing operations. When the gang  restored the group’s network in September, it used backups that had already been compromised by law enforcement.

“The fact of REvil being compromised has been talked about for days in closed CTI groups,” Jake Williams, co-founder and chief technology officer at incident response firm BreachQuest Inc., told SiliconANGLE. “It was known no later than the 17th that core group members behind REvil were almost certainly compromised. By standing up the Tor hidden services, someone demonstrated they had the private keys required to do so. This was effectively the end of REvil.”

Noting a surprise, the Digital Shadows Photon Research Team pointed out that the Reuters report also said REvil was responsible for the Colonial pipeline attack in May 2021, and used the “DarkSide” encryption software that REvil associates developed. “This contradicts months-long reporting that a ransomware group named DarkSide was responsible for the attack,” the research team said.

Moving forward, the Digital Shadows researchers added, “despite law enforcement operations, it’s realistically possible that unscathed REvil affiliates will return as a rebranded ransomware group. This is a familiar tactic employed by cybercriminals who remain intent on continuing ransomware extortion operations.”

Photo: U.S. Air Force