REvil: Entities from several countries, including the United States, have formed a task force to counterattack and “hack the hackers” of the Russian cybercriminal group REvil. In addition to having its website (nicknamed Happy Blog) taken down, the servers that the group used were intercepted.
The information was released on Thursday (21) by Reuters. According to agency sources, the joint action forced REvil to go offline this week. The gang is quite famous for using ransomware attacks, having this year attacked large companies such as JBS and Colonial Pipeline, one of the largest fuel pipelines in the US.
“The FBI, in conjunction with [US] Cyber Command, the Secret Service, and like-minded countries, have really engaged in significant action against these groups,” said Tom Kellerman, who is head of cybersecurity strategy at VMWare. and adviser to the US Secret Service.
“The server was compromised and they were looking for me,” confessed one of the leaders of the group known as “0_neday” at a cybercrime forum last week. “Good luck everyone, I’m out,” he added.
He had already been identified by internet crime-fighting agencies as one of those responsible for helping REvil get established. The group went about two months without taking action, until Happy Blog returned to the air with updates of the criminal actions of the hackers.
According to Reuters, the task force against REvil obtained a universal decryption key that eliminated the need to pay ransoms for the group. This key was even controversial, as the FBI got it and did not release it to victims of ransomware attacks.
At the time, the justification stated that keeping the key a secret could be useful to arrest REvil members. The password was later released to the Kaseya company, a software developer that was also attacked by the Russians.
During all this time, law enforcement authorities continued to watch the cybercriminals’ movements. The pros then managed to hack part of the gang’s servers and gained even greater control when 0_neday used a backup to restore the servers last month.
“The REvil ransomware gang restored the backup infrastructure on the assumption that they had not been compromised,” said Oleg Skulkin, deputy head of the forensics lab at Russian security company Group-IB. “Ironically, the gang’s own favorite tactic of compromising backups was turned against them,” he argued.
The White House and FBI have not specifically commented on the case. Despite this, according to the agency, a former US government official said the operation was still ongoing.