Feds Reportedly Hacked REvil Ransomware Group and Pressured it Offline

REvil Ransomware Group

The Russian-led REvil ransomware gang was felled by an energetic multi-country legislation enforcement operation that resulted in its infrastructure being hacked and taken offline for a second time earlier this week, in what is the latest action taken by governments to disrupt the profitable ecosystem.

The takedown was first reported by Reuters, quoting a number of private-sector cyber consultants working with the U.S. authorities, noting that the May cyber attack on Colonial Pipeline relied on encryption software program developed by REvil associates, formally corroborating DarkSide’s connections to the prolific prison outfit.

Automatic GitHub Backups

Coinciding with the event, blockchain analytics agency Elliptic disclosed that $7 million in bitcoin held by the DarkSide ransomware group had been moved via a sequence of latest wallets, with a small fraction of the quantity being transferred with every switch to make the laundered cash tougher to trace and convert the funds into fiat foreign money via exchanges.

On Sunday, it emerged that REvil’s Tor cost portal and information leak web site had been hijacked by unidentified actors, with a member affiliated with the operation stating that “the server was compromised they usually had been in search of me,” resulting in speculations of a coordinated legislation enforcement involvement.

The more and more profitable and worthwhile ransomware economic system has been usually characterised by a posh tangle of partnerships, with ransomware-as-a-service (RaaS) syndicates equivalent to REvil and DarkSide renting their file-encrypting malware to associates recruited via on-line boards and Telegram channels, who launch the assaults in opposition to company networks in alternate for a big share of the paid ransom.

This service mannequin permits ransomware operators to enhance the product, whereas the associates can give attention to spreading the ransomware and infecting as many victims as doable to create an meeting line of ransom payouts that may then be break up between the developer and themselves. It is value noting these associates may additionally flip to different cybercriminal enterprises that offer initial access through persistent backdoors to orchestrate the intrusions.

“Associates usually purchase company entry from [Initial Access Brokers] for reasonable after which infect these networks with a ransomware product beforehand obtained by the operators,” Digital Shadows said in a report revealed in Might 2021. “The rise of those menace actors along with the rising significance of RaaS fashions within the menace panorama signifies an increasing professionalization of cybercriminality.”

REvil (aka Sodinokibi) shut down for the primary time in mid-July 2021 following a string of high-profile assaults geared toward JBS and Kaseya earlier this yr, however the crew staged a proper return in early September below the identical model title, even because the U.S. Federal Bureau of Investigation (FBI) stealthily deliberate to dismantle the menace actor’s malicious actions with out their information, as reported by the Washington Publish.

“The REvil ransomware gang restored the infrastructure from the backups below the belief that that they had not been compromised,” Group-IB’s Oleg Skulkin was quoted as saying to Reuters. “Mockingly, the gang’s personal favourite tactic of compromising the backups was turned in opposition to them.”

Source link