author photo
By Bruce Sussman
Mon | Oct 25, 2021 | 4:15 AM PDT

It was last week when security researchers noticed something strange on the Dark Web.

The REvil ransomware group's "Happy Blog," where it publishes stolen data, suddenly went offline.

What had happened to the group and its DarkSide associates accused of the Colonial Pipeline and JBS Foods ransomware attacks?

By Thursday, Reuters revealed the answer.

The FBI, working with other U.S. and global law enforcement, had apparently hacked the hacking group and taken it offline.

Over the weekend, this led to an incredible amount of complaining by ransomware operators, who claim they are the victims of a bully—a bully named the United States of America.

Ransomware groups complain about U.S. led hacking 

With REvil offline, other known ransomware operators began ranting on the Dark Web. NBC News did a search and found this comment from the Conti ransomware gang:

"First, an attack against some servers, which the U.S. security attributes to REvil, is another reminder of what we all know: the unilateral, extraterritorial, and bandit-mugging behavior of the United States in world affairs.

With all the endless talks in your media about 'ransomware-is-bad,' we would like to point out the biggest ransomware group of all time: your Federal Government."

And they questioned the recent U.S. involvement in this type of cyber action:

"Is there a law, even an American one, even a local one in any county of any of the 50 states, that legitimize such indiscriminate offensive action?" the author wrote.

NBC News says another group wrote the following:

"Only time will tell who the real bad guys are here."

A third ransomware group complained that cybersecurity companies and the FBI were getting too involved with trying to stop ransomware.

So what happened, in this case, to make these ransomware groups chirp so loudly?

What happened to the REvil ransomware gang?

Reuters broke the story of what appears to have taken place in this case, which for now has taken the REvil ransomware site offline:

A leadership figure known as "0_neday," who had helped restart the group's operations after an earlier shutdown, said REvil's servers had been hacked by an unnamed party.

"The server was compromised, and they were looking for me," 0_neday wrote on a cybercrime forum last weekend and first spotted by security firm Recorded Future. "Good luck, everyone; I'm off."

When gang member 0_neday and others restored those websites from a backup last month, he unknowingly restarted some internal systems that were already controlled by law enforcement.

"The REvil ransomware gang restored the infrastructure from the backups under the assumption that they had not been compromised," said Oleg Skulkin, deputy head of the forensics lab at the Russian-led security company Group-IB. "Ironically, the gang's own favorite tactic of compromising the backups was turned against them."

And VMWare's Tom Kellermann told Reuters this is a significant action:

"The FBI, in conjunction with Cyber Command, the Secret Service and like-minded countries, have truly engaged in significant disruptive actions against these groups," said Kellermann, an adviser to the U.S. Secret Service on cybercrime investigations. "REvil was top of the list."

The U.S. announced earlier this year it is taking a "whole of government approach" to pursuing cybercriminals and disrupting their actions. And it was one of several countries involved in a recent arrest of an alleged ransomware gang member in Ukraine. 

Was REvil ransomware beat at its own game?

Cybersecurity attorney Robert Cattanach, at firm Dorsey & Whitney, says the agencies involved in this takedown used a move against the ransomware gang that it typically uses on others:

"Infecting backups with secret malware is a common strategem used by hackers to deter victims from attempting to restore their systems, and instead pay the ransom rather than going through the time and expense of a clean reboot. But apparently, someone at REvil didn’t get their own memo, and attempted to use REvil’s backup files to restore their systems – always a risk if you’ve been hacked, but one which some victims are willing to take to avoid the costly and time-consuming alternative."

And he believes this effort serves as more confirmation that law enforcement and governments are changing their approach to battling ransomware:

"It also demonstrates a resolve not previously seen by the US and its allies to pursue cybercriminals with aggressive counterstrikes, which may themselves be of dubious legality under international law. Whether this prompts even more destructive escalations by cybercriminals, or causes the likes of REvil to tap the brakes a bit, remains to be seen."

Ransomware group starts moving Bitcoin following shutdown

Are ransomware operators worried that their ability to operate without repercussions is coming to an end? It's hard to say, but we can follow the money.

Elliptic, which has a mission of preventing cybercrime in cryptoassests, says the ransom monies paid by Colonial Pipeline some five months ago are suddenly on the move. Interesting timing:

"These funds remained dormant until yesterday (October 21). Beginning at 7am GMT, the funds, now worth $7 million, were moved through a series of new wallets over the course of several hours, with small amounts being 'peeled' off at each step.

This is a common money laundering technique, used to attempt to make the funds more difficult to track and to aid their conversion into fiat currency through exchanges. The process is ongoing, but small amounts of the funds have already been sent to known exchanges.

The movement of the dormant DarkSide funds comes on the same day that it was reported that the REvil ransomware group had been hacked and forced online in a government-led operation. DarkSide has been strongly linked to REvil, with the ransomware groups sharing similarly structured ransom notes and using the same code."

There is clearly more to come in this ransomware fight, and SecureWorld News will cover it.

[RESOURCE: Register now for the upcoming SecureWorld webinar, 5 Things You Should Know About Ransomware Before It's Too Late. This is available live and on-demand.]

Comments