“The FBI, in conjunction with Cyber Command, the Secret Service, and like-minded countries, have truly engaged in significant disruptive actions against these groups,” said Tom Kellerman, an adviser to the U.S. Secret Service on cybercrime investigations. “REvil was top of the list.” Kellerman attributes this success to the DOJ’s guidance stating that ransomware attacks on critical infrastructure should be treated at the same level as terrorism.
Investigation into REvil Cyber Attacks
The U.S. government, partnering with governments from around the globe, has attempted to stop the most notorious ransomware gangs, including REvil, for years. However, the efforts were accelerated after the 2021 attacks on the Colonial Pipeline in May, meatpacker JBS in June, and Kaseya, the US software management company, in July. The attack on Kaseya appears to have been the turning point in the fight. According to an FBI agent close to the Kaseya investigation, the FBI was able to obtain a decryption key to unlock the Kaseya files but withheld it for almost three weeks to allow them additional time to investigate and track down members of the REvil group without “tipping off” the ransomware gang. According to the source, those involved in the investigation weighed the value of disclosing the key against the “value of a potential longer-term operation in disrupting an ecosystem,” and the group decided the latter was more valuable.
Governments Take Control of the REvil Systems
In July, without law enforcement’s intervention, the hacker group’s websites went offline. “Unknown”, the group’s spokesman, also seemingly disappeared. However, it was too late for REvil. During the Kaseya investigation, law enforcement was able to hack into the group’s network and take control of some of their internal systems. Last month, the gang members restored the websites from a backup, not knowing that, in doing so, they restarted the very internal systems that law enforcement already controlled. In a recent statement, Oleg Skulkin of the Russian-led security company Group-IB, stated, “The REvil ransomware gang restored the infrastructure from the backups under the assumption that they had not been compromised. The gang’s own favorite tactic of compromising the backups was turned against them.” One of REvil’s leadership,“0_neday”, announced the REvil’s servers compromise on a cybercrime forum last weekend.