A multi-nation operation is said to have hacked REvil, one of the world’s most active ransomware gangs, which took responsibility for some of the most high-profile hacks in recent history.
In 2018, the hacking organization Sodinokibi was linked to the creators of the GandCrab malware. REvil is thought to have bloomed a few months before GandCrab’s closure.
A recent VirusTotal Ransomware Activity Report indicated that the GandCrab ransomware family was the most active in early 2020, before declining dramatically in the second half of the year.
The GandCrab ransomware-as-a-service product, like the rest of ransomware varieties, held files on infected machines hostage until victims paid a ransom.
The service operated an online portal through which cybercriminals could join up and pay to gain access to customized versions of the GandCrab ransomware, which would be used to distribute email spam, exploit kits, and other cybercriminal tools of the trade.
The original GandCrab author received a commission anytime an infected user satisfied the malware distributor’s ransom demand – the remainder of the cut was collected by the cybercriminal who installed the malicious software on the victim’s PC.
An intriguing note about the ransomware has since been made: it does not target computers and networks in Russia or the former Soviet Union; this fact provided strong evidence that the designers of the malicious software were the same players behind the Russian-linked REvil threat group.
A History of Global Hacks
REvil, said to be based in Russia, has been linked to some of the most significant cyberattacks of 2021. In April, the ransomware organization sought $50 million from Apple in exchange for data supposedly stolen from one of the world’s most valuable corporations.
Nobody knows whether Apple accepted REvil’s demands, but the cybercriminal family threatened to auction off information based on unannounced products if the tech giant did not satisfy theirs.
Later, the ransomware gang hacked JBS, America’s largest beef supplier, and extorted approximately $11 million from the company.
Previous media stories detailed the JBS attack, which caused widespread disruptions in the meat supply chain in North America and Australia. Then, JBS SA in Brazil informed the US authorities about the ransomware attack undertaken against the company.
JBS announced that they had made “great progress in resolving the cyberattack” while confirming that the cyberattack was orchestrated by the REvil threat organization. The world’s largest meatpacker then hinted that the vast majority of its beef, hog, poultry, and prepared foods operations would reopen a day after their announcement.
The cyberattack against JBS coincided with a similar ransomware attempt undertaken by the same gang against Colonial Pipeline, the largest petroleum pipeline in the United States.
The May event caused severe problems in the energy sector, with officials reporting that fuel distribution was halted for a few days in the United States’ Southeast. Given that Colonial Pipeline delivers refined gasoline and jet fuel from Texas up the East Coast to New York, the attack’s size was obvious.
The reaction efforts following the attack demonstrated the energy sector’s vulnerability, as the fuel transporter was forced to shut down its 5,500-mile pipeline, which is claimed to transfer 45 percent of the East Coast’s fuel supplies.
It comes out that the decision to shut down its pipeline was made to contain the cyberattack. The same week, fuel disruptions occurred along the pipeline under unknown reasons; no one understood whether the fuel scarcity was a direct result of the attack or was Colonial Pipeline’s self-implemented response to the breach.
It is worth mentioning that the United States Justice Department later seized a major chunk of the ransom paid by Colonial Pipeline to the threat actors. According to market conversion rates at the time, the monies amounted to millions of dollars in digital currency – the specific values were later estimated to be 75 Bitcoin valued more than $4 million.
The ransomware organization would go on to target another global IT supplier, Kaseya, seeking a $70 million payment in exchange for access to locked victim files.
REvil’s web services vanished from the internet under mysterious reasons just two weeks after the Kaseya breach.
Hunter Becomes Hunted
The Federal Bureau of Investigation (FBI), the United States Secret Service, Cyber Command, and institutions from other countries around the world have been credited with taking down the renowned ransomware organization.
REvil’s dark web blog, which the hackers used to disseminate information obtained from victims, has now gone down. The FBI attack against the ransomware outfit became public early this week, with TechCrunch reporting that the REvil Tor website had fallen offline.
Otherwise, conjecture regarding the law enforcement hack may have started with the discovery of a forum post whose screenshot was published by a Twitter user – in the post, a suspected leader stated that the REvil server had been compromised (See below).
Figure 1: A suspected REvil member discusses the recent disturbance on an internet forum (Source: Twitter)
According to Reuters, the development may mark a watershed moment for dark web-enabled threat organizations that have been harming government institutions and private enterprises on US land and around the world.
The most recent incident echoes the United States government’s current offensive against cybercriminal companies that have frightened organizations with ransomware attacks. In addition to establishing a crypto enforcement team, the US Treasury has increased sanctions to prevent criminals from profiting from hacking attacks.
Nonetheless, it’s worth mentioning that the famed ransomware organization may not be finished. Previous stories have indicated that the hacking family has previously vanished from the dark web, only to reappear under mysterious circumstances.
Looking Back – REvil Has Previously Disappeared
REvil first vanished from the internet in July after targeting Kaseya, a provider of IT solutions to Managed Service Providers (MSPs) and corporate clients.
Kaseya VSA is a well-known software application for remote network management. It is well-liked by a slew of managed security providers and firms that specialize in providing IT solutions to other corporate actors.
It goes without saying that the design and approach of network management software make it an especially appealing target for cybercriminals. Because these systems have broad access to a company’s computer networks and perform a huge number of jobs, they can readily conceal a back door. Because of these characteristics, they are particularly difficult for cyber teams to monitor on a regular basis.
The corporation verified the high-profile attack on Kaseya, stating that it had been the victim of a hack over the American Independence Day weekend.
It is worth noting that the scope of the attack had huge repercussions for the corporate divide, given the importance of Kaseya services around the world. It turns out that the firm’s software is designed to serve over 40,000 organizations and MSPs in various nations.
The fact that Kaseya provides technology solutions to MSPs who serve other businesses demonstrates the relevance of the software supply chain participant.
On July 3, 2021, a malicious hotfix was released and deployed by VSA servers in response to what happened with the Kaseya hack. The malicious malware was subsequently distributed to Kaseya-managed servers, resulting in the compromise and encryption of thousands of nodes, affecting hundreds of different companies and enterprises.
According to cybersecurity experts, the malicious update contained a ransomware payload known as sodinokibi, which was linked to the REvil ransomware organization; it locked the compromised servers and shared folders.
What Happened Before?
REvil’s disappearance in July elicited a range of emotions, both online and offline. At the time, cybersecurity experts were unable to determine the precise cause of the ransomware group’s failure. A lot of hypotheses have emerged in an attempt to explain why the world’s most powerful ransomware outfit opted to go offline.
Then, several analysts claimed that the group had vanished forever, citing the fact that the ransomware family had never gone offline since its inception in 2019.
A number of cyber specialists speculated at the time that REvil’s decision was influenced by the necessity to respond to the Biden administration’s warning about a planned blitz against cybercriminal groups jeopardizing US institutions and enterprises.
Still, media outlets were inundated with stories that President Biden had requested Russian President Putin to make a meaningful commitment to putting an end to cybercriminal activity emanating from Russian soil.
This confirms the long-held opinion that the Russian government has been hesitant to crack the whip on local-based threat groups as long as they do not attack domestic institutions and businesses. Worse, several security professionals had raised concerns that the Russian government itself was responsible for some of the most devastating cyberattacks in modern history.
Nonetheless, despite all of the crazy assumptions at the time, it was possible that the ransomware group had gone offline on their own volition in order to reduce the tremendous attention they were garnering from worldwide law enforcement.
It is possible that REvil operators were also rethinking their operational plan. They may have studied previous incidents and decided to pause their cybercriminal activities before reappearing as a rebranded organisation trying to operate beneath the radar of law authorities.
At the time, Neil Jones, an Egnyte cybersecurity expert, told CPO Magazine that REvil’s power should not be underestimated. He encouraged businesses to be on the lookout for ransomware attacks, which might disrupt their operations and inflict severe economic damage.
Overall, it was impossible to determine what had happened to the REvil ransomware organization as institutions and law enforcement agencies sought to strengthen existing cyber defenses against the group’s potential return to action.
Return after a 2-Month Hibernation
REvil made its return just two months after their successful hack against Kaseya in July. Cybersecurity experts confirmed that the ransomware operation’s dark web servers were restarted after a two-month hiatus.
Then, no one knew whether the ransomware group was back in business or if the reappearance was due to a law enforcement operation to acquire evidence.
The activities sparked interest in various cybersecurity circles, with an underground intelligence pundit and Recorded Future blogger using Twitter to share a screenshot of the now-operational REvil’s data leak site dubbed Happy Blog (See below).
Figure 2: A screenshot of a Twitter post displaying an active REvil Happy Blog web page (Source: Twitter)
Furthermore, the cyber news site Bleeping Computer stated on July 8 that REvil operators added a new victim entry following the group’s cyberattack. The new platform went on to say that the Tor negotiation website was back up and running.
REvil’s Tor negotiation site, on the other hand, was reportedly not completely operating at the time, in contrast to the fully functional Happy Blog. While customers could see the login screen, they couldn’t log on to the site, according to Bleeping Computer.
While speaking with ZDNet, ransomware guru Allan Liska stated that REvil’s return was expected, but that the ransomware gang will return under a different business name and with a new ransomware variant.
The ransomware specialist went on to link the ransomware gang’s disappearance to their desire to remain off the radar of law enforcement following their aggressive cyberattacks that had captured the world’s attention.
Importantly, Liska stated that REvil’s return, although keeping their group name, would be a liability in the long run. He based his reasoning on the anticipation that law enforcement agencies and cyber researchers would continue to probe for information about REvil operators’ intended operations.
As luck would have it, the cybersecurity expert’s comments were vindicated because police were finally able to take down the ransomware outfit.
With what has happened with REvil in the past, it’s impossible to say whether this marks the end of one of the most powerful ransomware families in recent memory. According to a lot of cybersecurity researchers, REvil may transform into another gang by changing techniques and returning to the ransomware market.
Indeed, it is easy to imagine REvil operators abandoning the ransomware trade, which has since turned into a multibillion-dollar industry, according to cyber investigators. The findings also suggest that the majority of the illicit trade’s earnings are often shared with a small number of organized threat groups.
Around 85 percent of essential infrastructure in the United States is controlled by the private sector, which explains why companies like Colonial Pipeline would be targeted by a swarm of hackers. The presumption is that privately owned firms are not required by the US government to follow strong cybersecurity practices.
As a result, 2020 estimates indicate that the total amount of ransom paid by ransomware victims to threat actors reached $350 million in digital currency – the figures represent a 311 percent increase in the value of ransom paid to hackers when compared to 2019.