EXCLUSIVE Governments turn the tables on REvil ransomware gang by taking it offline


October 21 (Reuters) – Ransomware group REvil was itself hacked and forced to go offline this week by a multi-country operation, according to three private sector cyber experts working with the United States and a former official.

Former partners and associates of the Russian-led criminal gang were responsible for a cyber attack in May on the colonial pipeline that resulted in widespread gas shortages on the US east coast. REvil’s direct victims include JBS Best Meat Packer (JBSS3.SA). The criminal group’s “Happy Blog” website, which had been used to leak victim data and extort companies, is no longer available.

Officials said the colonial attack used encryption software called DarkSide, which was developed by associates at REvil.

Tom Kellermann, head of cybersecurity strategy at VMWare (VMW.N), said law enforcement and intelligence staff have kept the group from victimizing other companies.

“The FBI, in conjunction with Cyber ​​Command, the Secret Service and like-minded countries, have genuinely engaged in significant disruptive actions against these groups,” said Kellermann, US Secret Service adviser on investigations. on cybercrime. the list.”

A senior figure known as “0_neday,” who helped restart the group’s operations after a previous shutdown, said REvil’s servers were hacked by an anonymous party.

“The server was compromised and they were looking for me,” 0_neday wrote on a cybercrime forum last weekend and first spotted by security firm Recorded Future. ” Good luck to everyone ; I leave. “

Attempts by the US government to shut down REvil, one of the worst of dozens of ransomware gangs that work with hackers to break into and cripple businesses around the world, gained momentum after the group compromised the US management company of Kaseya software in July.

This breach opened access to hundreds of Kaseya customers at a time, leading to numerous cyber incident emergency response calls.

DECRYPTION KEY

Following the Kaseya attack, the FBI obtained a universal decryption key that allowed people infected through Kaseya to recover their files without paying a ransom.

But law enforcement officials initially withheld the key for weeks as he quietly pursued REvil staff, the FBI later recognized.

According to three people familiar with the matter, cyberspecialists in law enforcement and intelligence managed to hack REvil’s computer network infrastructure, thereby gaining control of at least some of their servers.

After the websites the hacker group used to do business were taken offline in July, the group’s main spokesperson, who calls himself “Unknown,” disappeared from the Internet.

When gang member 0_neday and others restored these websites from a backup last month, he unknowingly restarted some internal systems that were already under law enforcement.

“The REvil ransomware gang restored the infrastructure from the backups assuming they had not been compromised,” said Oleg Skulkin, deputy head of the forensic lab at the Russia-led security company Group. -IB. “Ironically, the gang’s preferred tactic of compromising the backups backfired.”

Trusted backups are one of the most important defenses against ransomware attacks, but they must be kept disconnected from major networks or they can also be encrypted by extortionists such as REvil.

A spokesperson for the White House National Security Council declined to comment specifically on the operation.

“Broadly speaking, we are leading a comprehensive government effort on ransomware, including disruption of ransomware infrastructure and actors, working with the private sector to modernize our defenses and creating an international coalition to hold the countries that harbor responsible ransom actors, ”the person said. .

The FBI declined to comment.

A person familiar with the events said that a foreign partner of the US government carried out the hack operation that penetrated the IT architecture of REvil. A former US official, who requested anonymity, said the operation was still active.

The success stems from the determination of U.S. Deputy Attorney General Lisa Monaco that ransomware attacks on critical infrastructure should be treated as a national security issue bordering on terrorism, Kellermann said.

In June, Senior Assistant Deputy Attorney General John Carlin told Reuters that the Justice Department was raising investigations into ransomware attacks to a similar priority.

Such actions gave the Department of Justice and other agencies a legal basis for enlisting help from U.S. intelligence agencies and the Department of Defense, Kellermann said.

“Before, you couldn’t hack into these forums, and the military didn’t want anything to do with it. The gloves have come off ever since.”

Reporting by Joseph Menn and Christopher Bing; Editing by Chris Sanders and Grant McCool

Our standards: Thomson Reuters Trust Principles.


Source link

Previous Black Friday broadband deals - CNET
Next McAfee Selects Weber Shandwick As Leading Global Consumer Communications Agency

No Comment

Leave a reply

Your email address will not be published. Required fields are marked *