A multi-country effort has given ransomware gang REvil a taste of its own medicine by using its backups & pushing its leak site & Tor payment site offline.
The REvil ransomware gang is unhappy, with its Happy Blog leak site & Tor payment site pushed offline yet again, this time by a multi-country battering ram.
Relying on input from three private-sector cyber-experts working with the US & 1 former official, Reuters reported on Thurs. that the ransomware-as-a-service (RaaS) gang has been given a taste of its own medicine: Specifically, the “hackers” who took out REvil’s servers did it by compromising its backups.
‘HACKERS’
VMWare head of cyber-security strategy Tom Kellermann told Reuters that those “hackers” were actually law enforcement & intelligence agencies from multiple countries:
“The FBI, in conjunction with US Cyber Command, the US Secret Service & like-minded countries, have truly engaged in significant disruptive actions against these groups,” Kellermann, an adviser to the US Secret Service on cybercrime investigations, stated. “REvil was top of the list.”
REvil Did not Back Away
According to Reuters’ sources, last month, REvil operators restored operations from a backup that, it turns out, was under government control.
REvil operators – including a top leader called 0_neday – restored the group’s websites from a backup last month, without realising that law enforcement were controlling some of the gang’s internal systems.
Restored the Infrastructure
Reuters quoted Oleg Skulkin, Deputy Head of the forensics lab at the Russian-led security company Group-IB:
“The REvil ransomware gang restored the infrastructure from the backups under the assumption that they had not been compromised. Ironically, the gang’s own favourite tactic of compromising the backups was turned against them.”
Decryptor Key
It’s ironic, given that backups are seen as the top way to protect organisations from ransomware attacks. If an entity can just restore systems from backups, they don’t have to pay to get a decryptor key to unfreeze their seized systems, the thinking goes.
Ransomware attackers know that. So, they make a science out of demolishing backups to prevent their victims from enduring attacks & restoring operations from those backups after an attack.
Russian Language Forum
There have been rumours about REvil’s reversals for a while: Last week, Flashpoint reported that on Oct. 17, a REvil operator announced that the ransomware group was shutting down its presence on the high-tier Russian language forum XSS after their domain had been “hijacked.”
The threat player explained that an unidentified person had used the private Tor keys of the group’s former spokesperson, “Unknown,” to access the REvil domain.
REvil Recap
This is the 2nd time in a few months that REvil’s servers have gone wrong. The 1st time was on July 13.
After the July 2021 shutdown, REvil operators believed that Unknown had disappeared. Some believed that the spokesperson had died.
Then, somebody used Unknown’s keys. “The REvil operation stated that the REvil domain was accessed using Unknown’s keys, confirming their concerns that a 3rd-party has backups with their service keys,” according to Flashpoint’s writeup.
‘Good Luck’
Over the weekend, 0_neday posted a message on the XSS cybercrime forum, saying that REvil’s domain had been accessed with Unknown’s keys. In an XSS message captured & posted to Twitter by The Record’s Dmitry Smilyanets, 0_neday explained they were giving up:
The server had been hacked, & they were on the lookout for me. They removed the route of my secret service from the torrc file & replaced it with their own, causing me to go there. I double-checked with others, & this was not the case. Good luck to everyone; I’m leaving now.” —0_neday’s post to the XSS forum.
According to Flashpoint, a REvil operator confirmed that whoever had hijacked REvil’s sites had also deleted 0_neday’s access to the gang’s hidden admin server.
So much for REvil’s Reboot
REvil had recently begun to recruit new affiliates on the RAMP forum. Flashpoint pointed out that the group was offering unusually high commissions of 90% to attract affiliates.
It is not surprising to hear that the rehashed, ragtag REvil reboot would feel the need to woo new affiliates with higher pay-outs. In Sept., news broke that REvil had conned its own affiliates out of ransomware payments by using double chats & a backdoor that let REvil operators hijack ransom payments.
A day later, those affiliates took to the top Russian-language hacking forum, Exploit, to renew their demands for REvil to fork over their pilfered share of ransom payments.
XSS Users
Flashpoint noted that XSS users had been “generally incredulous” when REvil joined the RAMP forum. On Oct. 18, the XSS moderators closed the thread where REvil made its pitch for new affiliates & advised fellow users to block REvil accounts.
The underground is undoubtedly unsurprised by this new REvil takedown. They’ve interpreted it as proof that the gang’s re-emergence in Sept. was “part of an elaborate FBI plot to catch REvil affiliates,” as Flashpoint described a Lock Bit representative’s take.
“Several threat actors agreed with the Lock Bit representative & added that they believed that REvil will re-emerge again under a totally new name, leaving behind recent scandals without having to pay out old affiliates,” according to Flashpoint.
REvil – Is or Was Notorious?
The REvil ransomware gang is notorious – or, rather perhaps, was notorious at 1 point &, since July, has been re-shaped. Aka Sodinokibi, REvil’s victim list has included Kaseya & its many managed service provider (MSP) customers, the global meat supplier JBS Foods, & even Apple.
According to Reuters’ sources, it is also responsible for the Colonial Pipeline attack. Unnamed officials told the outlet that the Dark Side encryption software used in the Colonial attack was actually developed by REvil associates, counteracting months-long reporting about a ransomware group named ‘Dark Side’ being responsible for the attack.
Busy Month for REvil
After its servers went offline in July – a disappearance that some observers linked to its main operator avoiding the pressure generated by the Kaseya attack – REvil surfaced again in Sept.
Sept. was a busy month for REvil. Its servers came back online; a fresh victim was listed on its site; ransomware payments were allegedly back up & flowing; a new REvil operator offered an explanation for the gang’s 2-month pause; & it told a story about how one of its coders mis-clicked, generated & issued a universal decryptor for Kaseya.
That is not how ransomware works. The underground laughed, dubbing the reborn gang as likely some ‘mediocre, lower-tier REvil also-rans’ using the name so as to ‘pull’ an exit fraud.
Multi-Country Co-ordination
Steve Forbes, a govt. cyber-security expert at Nominet, noted that the significance of a multi-country takedown like this one is “hard to overstate” in the ransomware battle & that this is the way to go as that battle rages.
“Ransomware has increasingly taken centre stage this year, as it has disrupted global supply chains,” Forbes explained.
“Despite not always being a very sophisticated attack method, it achieves notoriety because of its real-world impact.
A combination of network analysis to identify the tell-tale signs of a ransomware attack, robust back-ups to aid recovery, & cross-country co-ordinated takedowns will be the key to stemming the flow of successful ransomware attacks in the future.”
They will Be Back
Multiple experts outlined that nobody should assume that REvil’s affiliates have been neutralised. Rather, they are still happy for profits & they will likely be back.
“REvil affiliates regularly used double extortion, the exfiltration of data from victim networks with the threat of release, to compel payment,” Jake Williams, co-founder & CTO at Breach Quest, commented. “These affiliates stay in line & don’t release data because doing so would remove them from future work with the core group, effectively their source of income.
New Sources of Revenue
“As work from REvil is clearly drying up now, affiliates will need new sources of revenue. It will not be surprising to see stolen data sold on the dark web. I anticipate that some organisations who believed their data was safe because they paid an REvil ransom are in for a rude awakening.”
Digital Shadows’ Photon Research Team agreed. In a statement, its analysts stated that despite law enforcement operations, “it’s realistically possible that unscathed REvil affiliates will return as a rebranded ransomware group. This is a familiar tactic employed by cyber-criminals who remain intent on continuing ransomware extortion operations.”
https://www.cybernewsgroup.co.uk/virtual-conference-november-2021/