REVIL HACKED BY THE FBI
Who can forget the Colonial Pipeline cyberattack in May that led to widespread fuel shortages on the East Coast of the United States. And then there was the Kaseya ransomware attack on 2 July this year, where more than 1,000 managed service providers and their customers became victims of a ransomware attack causing widespread disruption. Who were the perpetrators? None other than REvil, the Russian-led cybercriminal mastermind group. The same group is also responsible for holding the data of Acer, Travelex and the U.S. meatpacker, JBS hostage. The good news is that on Thursday, Reuters reported that REvil had been hacked by the FBI, other U.S. Government Agencies, and other major cybersecurity players from around the world. The group’s dark web blog, ‘Happy Blog’, exposed information gleaned from its targets and extort millions of dollars from companies and individuals, was offline. Hopefully, for good.
HOW REVIL WORKED
REvil primarily operated as a Ransomware-as-a-Service hacking outfit. This Involved developing – or finding somebody to develop malware used to hold computers or IT networks to ransom. REvil would then provide the malware to affiliates who downloaded malware execution programs via a portal and infect targets – usually enterprise of SMB operations. These could be single computers or, as in many cases, an entire IT network. If a victim pays, then the ransom is split between the operator and the affiliate. In the case of the Russian hacker, the affiliate would get 70% of the cash and REvil the remaining 30%.
In early July this year, following the attack on IT management software company, Kaseya, which caused 1000s of ransomware victims, REvil went offline. U.S. President Joe Biden spoke personally to that of the Russian Federation, Vladimir Putin. It is believed that REvil’s temporary shutdown was a result of the conversation where Biden pressed Putin about ransomware attacks originating from Russia. Nevertheless, officials from both countries denied having anything to do with REvil’s closure that month
On 7 September, REvil’s ‘Happy Blog’ website, which was used to leak victim data and extort companies via the Dark Web, was active again. There was a change though. Before the shutdown of the gang in July, a backdoor existed that could be used by administrators to decrypt systems and files encrypted using the malware. When REvil resurfaced, the backdoor had disappeared.
Yelisey Boguslavskiy, Head of research at AdvIntel, said of this:
“It looks like the backdoor was around since the very beginning of the REvil RaaS operation and it disappeared during REvil’s restart. In other words, the old REvil – the one before quitting in July – had the backdoor, and the new one, restarting in September, doesn’t have one.”
Boguslavskiy also explained the purpose of the backdoor:
“By using this backdoor, REvil can hijack victim cases during active negotiations with affiliates and obtain the 70% of ransom payments that are supposed to go to the affiliates. We have previously known that REvil has been using double chats when two identical chats are open with the victim by the affiliate and by REvil leadership. At a critical point of negotiations, the leadership switched down the affiliate chat – imitating the victim quitting the negotiations without paying – while continuing to negotiate with the victim to get the full income.”
Kaseya was the final nail in the coffin for REvil, so to speak. After the attack in July, the FBI obtained a universal decryption key that allowed those infected via Kaseya to recover their files without paying a ransom. The same key was used to infiltrate REvil’s IT infrastructure as when it restored ‘Happy Blog’ and other sites from backups in September, it unknowingly restarted some internal systems that were already controlled by law enforcement. Oleg Skulkin, Deputy Head of the forensics lab at the Russian-led security company Group-IB, said:
“The REvil ransomware gang restored the infrastructure from the backups under the assumption that they had not been compromised. Ironically, the gang’s own favourite tactic of compromising the backups was turned against them.”
THE END OF REVIL
On 21 October this year, REvil was offline and the ‘Happy Blog’ website on longer available. VMWare Head of Cybersecurity Strategy, Tom Kellermann, and also an adviser to the U.S. Secret Service on cybercrime investigations said:
“The FBI, in conjunction with Cyber Command, the Secret Service and like-minded countries, have truly engaged in significant disruptive actions against these groups. “REvil was top of the list.”
WILL REVIL RETURN
While it seems fine for the moment and the cybercriminal group that cost a single company more than $40 million, has REvil truly been laid to rest? Some think not. Remember that the group resurfaced in September after being offline for just over a month. Also, a Russian security expert told Reuters that infecting backups is a tactic commonly used by REvil itself. But fear not. If you have any concerns about the data and security of your data and IT infrastructure or need cybersecurity advice or training, I’m you man. I have over 20 years of experience in developing professional business IT solutions, cybersecurity and risk migration. Contact me today and let your worries over cybersecurity be laid to rest.