Governments Turn Tables On Ransomware Gang REvil By Pushing It Offline (reuters.com) 20
An anonymous reader shares a report from Reuters: The ransomware group REvil was itself hacked and forced offline this week by a multi-country operation, according to three private sector cyber experts working with the United States and one former official. Former partners and associates of the Russian-led criminal gang were responsible for a May cyberattack on the Colonial Pipeline that led to widespread gas shortages on the U.S. East Coast. REvil's direct victims include top meatpacker JBS. The crime group's "Happy Blog" website, which had been used to leak victim data and extort companies, is no longer available. Officials said the Colonial attack used encryption software called DarkSide, which was developed by REvil associates.
VMWare head of cybersecurity strategy Tom Kellermann said law enforcement and intelligence personnel stopped the group from victimizing additional companies. "The FBI, in conjunction with Cyber Command, the Secret Service and like-minded countries, have truly engaged in significant disruptive actions against these groups," said Kellermann, an adviser to the U.S. Secret Service on cybercrime investigations. "REvil was top of the list." [...] U.S. government attempts to stop REvil, one of the worst of dozens of ransomware gangs that work with hackers to penetrate and paralyze companies around the world, accelerated after the group compromised U.S. software management company Kaseya in July. That breach opened access to hundreds of Kaseya's customers all at once, leading to numerous emergency cyber incident response calls. Following the attack on Kaseya, the FBI obtained a universal decryption key that allowed those infected via Kaseya to recover their files without paying a ransom. But law enforcement officials initially withheld the key for weeks as it quietly pursued REvil's staff, the FBI later acknowledged. According to three people familiar with the matter, law enforcement and intelligence cyber specialists were able to hack REvil's computer network infrastructure, obtaining control of at least some of their servers.
After websites that the hacker group used to conduct business went offline in July, the main spokesman for the group, who calls himself "Unknown," vanished from the internet. When gang member 0_neday and others restored those websites from a backup last month, he unknowingly restarted some internal systems that were already controlled by law enforcement. "The REvil ransomware gang restored the infrastructure from the backups under the assumption that they had not been compromised," said Oleg Skulkin, deputy head of the forensics lab at the Russian-led security company Group-IB. "Ironically, the gang's own favorite tactic of compromising the backups was turned against them." Reliable backups are one of the most important defenses against ransomware attacks, but they must be kept unconnected from the main networks or they too can be encrypted by extortionists such as REvil.
VMWare head of cybersecurity strategy Tom Kellermann said law enforcement and intelligence personnel stopped the group from victimizing additional companies. "The FBI, in conjunction with Cyber Command, the Secret Service and like-minded countries, have truly engaged in significant disruptive actions against these groups," said Kellermann, an adviser to the U.S. Secret Service on cybercrime investigations. "REvil was top of the list." [...] U.S. government attempts to stop REvil, one of the worst of dozens of ransomware gangs that work with hackers to penetrate and paralyze companies around the world, accelerated after the group compromised U.S. software management company Kaseya in July. That breach opened access to hundreds of Kaseya's customers all at once, leading to numerous emergency cyber incident response calls. Following the attack on Kaseya, the FBI obtained a universal decryption key that allowed those infected via Kaseya to recover their files without paying a ransom. But law enforcement officials initially withheld the key for weeks as it quietly pursued REvil's staff, the FBI later acknowledged. According to three people familiar with the matter, law enforcement and intelligence cyber specialists were able to hack REvil's computer network infrastructure, obtaining control of at least some of their servers.
After websites that the hacker group used to conduct business went offline in July, the main spokesman for the group, who calls himself "Unknown," vanished from the internet. When gang member 0_neday and others restored those websites from a backup last month, he unknowingly restarted some internal systems that were already controlled by law enforcement. "The REvil ransomware gang restored the infrastructure from the backups under the assumption that they had not been compromised," said Oleg Skulkin, deputy head of the forensics lab at the Russian-led security company Group-IB. "Ironically, the gang's own favorite tactic of compromising the backups was turned against them." Reliable backups are one of the most important defenses against ransomware attacks, but they must be kept unconnected from the main networks or they too can be encrypted by extortionists such as REvil.
They should push it offline... (Score:2)
Re: (Score:2)
The home addresses of the ringleaders....wherever that may be. Enough is enough.
Re: (Score:2)
Do they even have that information? And given our history of mistargeting drones (cruise missiles being a sort of single-use drone) could they trust it? My sources say no.
Re: (Score:2)
The main ringleader's ICBM address: home 44.420633N, 38.208549E, work 55.7532174N ,37.6192357E.
Perhaps a bit overkill (Score:3)
I think the ruskis might get a bit upset about that. However perhaps putins tactics should be used against him - the CIA (or whoever) must have some agents who could find where these guys live and when the chance arises put a bullet in them then vanish.
Re: (Score:2)
I think the ruskis might get a bit upset about that. However perhaps putins tactics should be used against him - the CIA (or whoever) must have some agents who could find where these guys live and when the chance arises put a bullet in them then vanish.
Polonium.
Re: (Score:2)
Re: (Score:2)
Oh no! (Score:2)
Seriously, want to brag about something? How about pushing the actually people behind the group and their attacks into a jail cell. Until then stop writing self-congratulatory press releases and get back to work.
Re: (Score:3)
They took down their website! Well that'll show those rascals who's boss! Good thing once your website is taken offline it's impossible to put a new one up. Whew!
well, tbh and if you believe the article (some salt recommended) they somehow managed to compromise the webserver ... without the others knowing. that's something, and they could potentially have gotten some information from there ... before blowing it up, that is.
but yeah, definitely, that this is even news just highlights their level of embarrassment. although apparently not for the gullible and vengeful plebs, reading this thread. which is why media loves this kind of bullshit, i guess.
the best of the sh
I guess this is a triumph? (Score:4, Insightful)
I mean, that's how it's being advertised. ...OTOH, one could as well reframe it as "Bored group of amoral hackers who discovered a way to monetize their puzzle-solving nature given new more challenging puzzle by government".
Truly: these sorts of things will not diminish until there are REAL WORLD consequences for these sorts of activities. And on a timeframe shorter than the what, decade? it takes to prosecute someone now?
I mean, not until we treat some script-kiddie that deploys a darkweb tool to open the floodgates of a dam as the EXACT equivalent of a terrorist who does the same thing in more old-fashioned kinetic (bomb) way, they're not going to stop.
Re: (Score:2)
It's only a matter of time until they get bored of just stealing data.
Re: (Score:2)
Bored group of amoral hackers who discovered a way to monetize their puzzle-solving nature given new more challenging puzzle by government
Isn't that also just the NSA?
A lot of words to say "we failed" (Score:2)
This is a lot of boasting for a story that end with "and no one was caught".
Well, to be fair, reliable backups CAN be online (Score:1)
Just make sure they are write-once-only if they are online.
It's a bit dated and too small for most practical uses today, but write-once DVD and CD media qualified.
Today, a bank of solid-state drives or other storage media that is designed to be non-erasable by the host computer would probably do the trick if you need your backups to be "online."
Now, this will not stop corruption, but it will allow you to go back in time to a pre-corrupt state. It also won't stop the bad guys from stealing your data and say
MICROS~1 WINDOW~1 strikes again .. (Score:1)