(corrects spelling of Kellerman instead of the whole Kellerman)
Ransomware group Revil was hacked this week by a multi-country operation and forced to go offline, according to three private sector cyber experts working with the United States and a former official.
A Russian-led criminal gang was responsible for the May cyber attack on the Colonial Pipeline that caused widespread gas shortages in the US East Coast. Reville’s “Happy Blog” website, which was used to leak victims’ data and recover from companies, is no longer available.
Officials said the Colonial attack used encryption software called Darkside, which was developed by Reville allies.
Tom Kellerman, head of VMWare cybersecurity strategy, said law enforcement and intelligence personnel prevented the group from hunting down additional companies.
“The FBI, along with Cyber Command, the Secret Service, and like-minded countries, have actually taken significant disruptive action against these groups,” said Kellerman, a US Secret Service adviser on cybercrime investigations. “Reville was at the top of the list.”
A leadership figure known as “0_neday”, who previously helped restart the group’s operations after the shutdown, said that Reville’s servers had been hacked by an unidentified party.
“The servers were compromised, and they were looking for me,” 0_neday wrote on a cybercrime forum late last week and was first spotted by security firm Recorded Future. “Good luck, everyone; I’m off.”
The US government attempts to stop Revil, one of dozens of ransomware gangs that work with hackers to paralyze and paralyze companies around the world, the group said in July from American software management company Kasia. Accelerated after compromise. https://www.reuters.com/technology/biden-says-uncertain-who-is-behind-latest-ransomware-attack-2021-07-03
That breach opened up access to hundreds of Kasia’s customers at once, leading to multiple emergency cyber incident response calls.
decryption key
After the attack on Kasia, the FBI obtained a universal decryption key that allowed those infected with Kasia to recover their files without paying a ransom.
But law enforcement officers initially withheld the key for weeks as it quietly pursued Reville’s employees, the FBI later acknowledged. https://www.washingtonpost.com/national-security/ransomware-fbi-revil-decryption-key/2021/09/21/4a9417d0-f15f-11eb-a452-4da5fe48582d_story.html
According to three people familiar with the matter, law enforcement and intelligence cyber experts were able to hack the infrastructure of Reville’s computer network, gaining control of at least some of their servers.
After the hacker group took business websites offline in July, the group’s main spokesperson, who calls himself an “anonymous”, disappeared from the Internet.
When gang member 0_neday and others restored those websites from backup last month, they inadvertently restarted some internal systems that were already controlled by law enforcement.
“The Revil ransomware gang restored infrastructure from backup under the assumption that they were not compromised,” said Oleg Skulkin, deputy head of forensic labs at Russian-led security company Group-IB. “Ironically, the gang’s own favorite tactic of compromising backup was against them.”
Trusted backups are one of the most important defenses against ransomware attacks, but they must be kept unconnected to the main network or they may even be encrypted by extortionists like Revil.
A spokesman for the White House National Security Council declined to comment specifically on the operation.
“Broadly, we are looking at disrupting ransomware infrastructure and actors, working with the private sector to modernize our defenses, and forming an international coalition to hold countries that have paid ransomware actors accountable for the entire government ransomware system.” Trying,” said the person. .
The FBI declined to comment.
A person familiar with the events said a foreign partner of the US government carried out a hacking operation that penetrated Reville’s computer architecture. A former US official, who spoke on condition of anonymity, said the operation is still active.
Kellerman said the success stemmed from US Deputy Attorney General Lisa Monaco’s determination that ransomware attacks on critical infrastructure should be treated as a national security issue similar to terrorism.
In June, Principal Associate Deputy Attorney General John Carlin told Reuters https://www.reuters.com/technology/exclusive-us-give-ransomware-hacks-similar-priority-terrorism-official-says-2021-06-03 Told the Justice Department was increasing the investigation of the ransomware attacks on equal priority.
Such actions give the Justice Department and other agencies a legal basis for seeking help from US intelligence agencies and the Defense Department, Kellerman said.
“Before, you couldn’t hack into these forums, and the military didn’t want anything to do with it. Since then, the gloves have come off.”
read all breaking news, breaking news And coronavirus news Here. follow us on Facebook, Twitter And Wire.