Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Crime Government

A US/Foreign Government Operation Hijacked the Servers of a Major Ransomware Gang (msn.com) 24

The U.S. Department of Defense's internet-defending Cyber Command teamed with "a foreign government" in two operations which shut down a major overseas ransomware group by hijacking its servers, reports the Washington Post. Several U.S. officials told the Post the operation left the ransomware gang's leaders "too frightened of identification and arrest to stay in business." "Domains hijacked from REvil," wrote 0_neday, an REvil leader, on a Russian-language forum popular with cyber criminals, on October 17.... "The server was compromised," he wrote hours later, "and they are looking for me." And then: "Good luck everyone, I'm taking off."

Soon after, REvil ceased operations, such as recruitment of affiliates, ransom negotiations and distribution of malware.

The Washington Post previously reported that REvil's servers ["reachable only through Tor"] had been hacked in the summer, permitting the FBI to have access. The compromise allowed the FBI, working with the foreign partner, to gain access to the servers and private keys, officials said. The bureau was then able to share that information last month with the U.S. Cyber Command, enabling the hijacking, they said... Cyber Command leader, General Paul Nakasone, said at the Aspen Security Forum on Wednesday that while he wouldn't comment on specific operations, "we bring our best people together ... the really good thinkers" to brainstorm ways to "get after folks" conducting ransomware attacks and other malign activities. "I'm pleased with the progress we've made," he said, "and we've got a lot more to do."

The group's departure may be temporary. Ransomware gangs have been known to go underground, regroup and reappear, sometimes under a new name. But the recent development suggests that ransomware crews can be influenced — even temporarily — to cease operations if they fear they will be outed and arrested, analysts say. "The latest voluntary disappearance of REvil highlights the powerful psychological impact of having these villains believe that they are being hunted and that their identities will be revealed," said Dmitri Alperovitch, executive chairman of the think tank Silverado Policy Accelerator and a cyber expert. "U.S. and allied governments should proudly acknowledge these cyber operations and make it clear that no ransomware criminal will be safe from the long reach of their militaries and law enforcement agencies...."

Recorded Future threat intelligence analyst Dmitry Smilyanets believes "REvil as a brand is done."

And meanwhile, an anonymous Slashdot reader shares the news that German investigators "have identified a deep-pocketed, big-spending Russian billionaire whom they suspect of being a core member of the REvil ransomware gang," according to Threatpost. "He lolls around on yachts, wears a luxury watch with a Bitcoin address engraved on its dial, and is suspected of buying it all with money he made as a core member of the REvil ransomware gang." The showy billionaire goes by "Nikolay K." on social media, and German police are hoping he'll cruise out of Russia on his next vacation — preferably, to a country with a cooperation agreement with Germany so they can arrest him. In case he decides to kick back somewhere other than sunny Crimea, they've got an arrest warrant waiting for him....

According to Reuters, which broke the news about last week's law enforcement move against the gang, REvil's also behind the Colonial Pipeline attack, as opposed to a culprit presumed to be a ransomware group named DarkSide.

This discussion has been archived. No new comments can be posted.

A US/Foreign Government Operation Hijacked the Servers of a Major Ransomware Gang

Comments Filter:
  • Apparently their software development was too complex. ;-)

  • Sounds like one of those 90s kids' shows that were trying to jump on the Power Rangers popularity bandwagon.

  • by SlashbotAgent ( 6477336 ) on Saturday November 06, 2021 @12:31PM (#61963397)

    Now the story grows legs, starts spreading wider and wider, all the while going further in to lore and legend.

    MSN reporting n a Washington Post story that may well have started on Twitter. No facts. No revelations. Just more and more speculation and hyperbole with every retelling.

    The only things we know for sure are that Cyber Command has alluded to being responsible for REvil perpetrators perhaps going into hiding. No one knows who they are where they were or where they went.

    • by gtall ( 79522 )

      You mean you didn't get the secret memos detailing the insides of the operation? This is an outrage. I encourage you to go right to the top, tell the world of your special insight.

  • If the reporting is reliable - and some earlier posters have called it into question - then it IS news that the US Government is owning up to this.

    What's NOT news is that the US government is infiltrating and taking down those who seek to harm the United States and its citizens and companies based in it.

    US-government espionage and counter-espionage - whether against governments or against private actors - has presumably been happening for as long as the US government has existed.

    It's safe to assume the same

  • by Rick Schumann ( 4662797 ) on Saturday November 06, 2021 @01:40PM (#61963573) Journal
    So the escalation is beginning, finally.
    The next level of escalation, I believe, will be when these cybercrime organizations, many of which are state-funded by countries like Russia, China, and North Korea, decide they've had enough and start counter-attacking.
    Expect critical infrastructure and financial institutions to be attacked, and not for 'ransom', but purely to cause damage.
    See, I believe they already have the capability to wreck entire nations, but haven't done so up to this point purely to 'not kill the goose that lays golden eggs'. But if countries are bringing the fight to them? Then perhaps that's off the table now.
    Guess we'll see. All depends on how thorough various law enforcement is in taking them down.
    • Why would they be state funded? Aren't ransomware criminals generating income that finances their continued operation?
    • No, the next level of escalation would be bullets. Millions or billions on the table are generally already enough for violence to be considered in the right situation. Change the storyline of ransomware groups from 'people who rob companies' to 'people who destroy stuff' and watch how quickly assassinations, drone strikes and the like start being thrown at the groups. In general though, when one form of crime gets too risky, criminals don't try to get into a shooting match. Rather they change to something
      • But when your arsenal to-date consists of 'cyberweapons' why would you suddenly start shooting or bombing, when you can wreck public utilities and entire economies? I think, through a combination of lack of diligence on the part of government and corporate IT, and 'cybercriminal' efforts to find vulnerabilities to exploit, they have the capability to wreck an entire country, but they don't do that because it's less profitable. Piss them off and they might just flex those cyber-muscles and do some real damag
        • I think you underestimate the fear value of being on a targeted assassination list. Suddenly, using any electronic device makes you wonder if its essentially a homing signal. Which of your associates have decided to turn on you in exchange for a payoff? Maybe your current benefactor is worried you'll talk, and they're now after you....hey, maybe cooperating with the CIA and getting out in front of this thing is a better option..

          A lot of the benefit of a kill list for an agency like the CIA isn't necessar

  • >"the recent development suggests that ransomware crews can be influenced to cease operations if they fear they will be outed and arrested, analysts say"

    You really needed an analyst to figure this one out?
  • Forget waiting for him to go on vacation just hack one of his yachts and have it drive him out into international waters. You might need someone to plug in a USB stick or something but I doubt yachts have high-end secure software, even if they claim that they do.

  • "The server was compromised," he wrote hours later, "and they are looking for me." And then: "Good luck everyone, I'm taking off."

    Ha ha, you're dead meat, you piece of shit.

    I bet they catch him...in the current environment you have to be really, really good not to leave any viable leads or trails or traces.

    Someone in their group was probably just a little sloppy or maybe not paranoid enough, and left a trail that'll be their undoing.

    Even taking steps to conceal your origin or identity leaves a record. True

    • One of the guys from the original team tried to set up again using poisoned backups from when the Feds last took them out.

      Rooky mistake.

      SecOps 101, don't trust the data on servers you know have been compromised.

  • by dromgodis ( 4533247 ) on Sunday November 07, 2021 @04:01AM (#61965057)

    How much is the Cyber Command demanding to give the servers back to Revil?

  • With the bounties on the ransomware groups offered by US government and others, how long before someone in Russia offers to "disappear" the wanted people for the bounty?

    https://www.dw.com/en/us-issue... [dw.com]

    Since they are supposedly based in Russia, and some of them have been supposedly identified, will not be surprised if someone offers.

"An idealist is one who, on noticing that a rose smells better than a cabbage, concludes that it will also make better soup." - H.L. Mencken

Working...