A multi-nation operation has reportedly hacked one of the world’s most active ransomware groups REvil, which was took responsibility for orchestrating some of the most high profile hacks in recent history.
The hacker group, also referred to as Sodinokibi, has been linked to the authors of GandCrab malware in 2018. It is believed that REvil sprouted a few months before GandCrab closed down its operations.
Point to note, a recently-published VirusTotal Ransomware Activity Report intimated that GandCrab ransomware family was the most active group in early 2020, before its prevalence ebbed significantly in the second half of the year.
Like the majority of ransomware types, the GandCrab ransomware-as-a-service product worked by holding files on infected computers hostage until a ransom payment is made by victims.
The service ran an online portal where cybercriminals sign up and pay to receive access to custom versions of the GandCrab ransomware that would be used to distribute email spam, exploit kits and other cybercriminal tools of trade.
The original GandCrab author earned a commission whenever an infected user met the ransom demand of the malware distributor – the rest of the cut would be taken earned by the cybercriminal who planted the malicious software in the victim’s computer.
An interesting observation that has since been made about the ransomware is that it does not target computers and networks in Russia or the former Soviet Union – this reality gave a strong indication that creators of the malicious software were the same actors behind the Russian-linked REvil threat group.
A History of Global Hacks
Said to be domiciled in Russia, REvil has been connected to some of the largest cyberattacks in 2021. In April, the ransomware group demanded $50 million from Apple in exchange for data that they had allegedly been harvested from one of the world’s most valued companies.
No one knows whether Apple met REvil’s demands but the cybercriminal family had sent threats about auctioning off the information based on unreleased products incase the tech giant failed to meet their demands.
Later, the ransomware gang hacked America’s largest meat supplier JBS and extorted about $11 million from the firm.
Past media reports documented the JBS hack that caused massive ripples in the meat supply chain in North America and Australia. Then, Brazil’s JBS SA informed the U.S. government about the ransomware attack that had been launched against the firm.
While confirming that the cyberattack has been orchestrated by the REvil threat group, JBS reported that they had managed to make “significant progress in resolving the cyberattack.” Then, the world’s largest meatpacker intimated that the vast majority of its beef, pork, poultry and prepared foods plants would be back in operation a day following their announcement.
The cyberattack on JBS happened to have followed a similar ransomware attack that was launched by the same group against Colonial Pipeline, considered to be the biggest fuel pipeline in the United States.
The May event caused significant issues in the energy sector, with officials noting the crippling of fuel delivery for a couple of days in the U.S. Southeast. The massive scale of the attack was apparent given that Colonial Pipeline transports refined gasoline and jet fuel from Texas up the East Coast to New York.
The response activities following the hack reflected the state of vulnerability of the energy sector as the fuel transporter was forced to shut down its 5,500-mile pipeline that is said to move 45 percent of the East Coast’s fuel supplies.
The decision to shut down its pipeline, it turns out, was meant to contain the cyberattack. There was further confusion the same week as fuel disruptions occurred along the pipeline under unclear circumstances – no one really knew whether the fuel shortage was a direct effect of the attack, or was Colonial Pipeline’s self-implemented measure to deal with the breach.
It is worth noting that the U.S. Justice Department would later seize a large proportion of the ransom that had been paid by Colonial Pipeline to the threat actors. The funds were reported to have amounted to millions of dollars in digital currency – the precise figures were later reported to be 75 Bitcoin worth an excess of $4 million according to market exchange rates at the time.
The ransomware group would go on to pull off another hack against the global IT supplier Kaseya, demanding for a $70 million ransom in exchange for access to encrypted victim files.
Barely two weeks after the Kaseya breach, REvil’s web services disappeared from the internet under unclear circumstances.
Hunter Becomes Hunted
The latest cyber enforcement action that has knocked the notorious ransomware group offline has been credited to the Federal Bureau of Investigation (FBI), U.S. Secret Service, Cyber Command, and institutions from other countries across the world.
It turns out that REvil’s dark web blog, which was used by the hackers to expose information harvested from victims, is also offline. Information concerning the FBI hack against the ransomware group started surfacing early in the week, with TechCrunch reporting that the REvil Tor website had become unavailable.
Otherwise, speculation about the law enforcement hack may have begun with revelations of a forum post whose screenshot was shared by a Twitter user – in the post, a suspected leader said that the REvil server had been compromised (See below).
A report by Reuters shared the news that may signal the turning point for dark web-enabled threat groups that have been endangering government institutions and private firms on U.S. soil and across the world.
The latest event reflects the U.S. government recent aggression against cybercriminal enterprises that have terrorized organizations through ransomware attacks. In addition to creating a crypto enforcement unit, the U.S. Treasury has tightened sanctions that are designed to inhibit the process of criminals cashing in from hacking incidents.
Nonetheless, it’s worth noting that this may not be the ultimate end of the notorious ransomware group. Past reports have pointed to the fact that the hacking family has gone off the dark web before, only to resurface later under unclear circumstances.
Looking Back – REvil Has Disappeared Before
REvil first disappeared from the internet in July when they targeted Kaseya, an IT solutions supplier for Managed Service Providers (MSPs) and corporate clients.
Kaseya VSA, in particular, is a notable software product used for remote network management. It is quite popular with a host of managed security providers, and companies that have specialized in supplying IT solutions to other corporate actors.
It goes without saying that the construction and approach of network management software makes it a particularly attractive candidate for cybercriminals. They can quite easily hide a back door owing to the fact that these systems enjoy broad access to a firm’s computer networks, and implement a large volume of tasks. The attributes make them especially challenging for cyber teams to monitor on a regular basis.
The high profile attack on Kaseya was confirmed by the organization that stated that it had become the victim of a cyberattack over the American Independence Day weekend.
Point to note, the scale of the attack had massive ramifications against the corporate divide considering the significance of Kaseya services across the world. It turns out that the firm’s software is built in the context of serving more than 40,000 companies and MSPs in different countries.
The fact that Kaseya supplies tech solutions to MSPs that serve other companies shows the importance of the software supply chain player.
In reflection of exactly what happened with the Kaseya hack, a malicious hotfix was released and pushed by VSA servers on the July 3, 2021. The malicious program was then sent out to servers managed by Kaseya, an action that led to the compromising and encryption of thousands of nodes affecting hundreds of different organizations and enterprises.
According to cybersecurity analysts, the malicious hotfix embedded a ransomware payload dubbed sodinokibi that was traced back to the REvil ransomware group – it encrypted the infected servers and shared folders.
What Happened Then?
The July disappearance of REvil followed a mix of reactions both online and offline. At the time, cybersecurity experts could not figure out the exact reason for the ransomware group’s outage. A number of theories surfaced in an attempt to rationalize how the world’s most powerful ransomware group may have decided to go offline.
Then, a section of commentators asserted that the group had disappeared forever in light of the fact that the ransomware family had never gone offline under any circumstance since it started in 2019.
Expectedly, a number of cyber analysts believed that REvil’s decision at the time may have been informed by the need to respond to the Biden administration’s warning about a planned onslaught against cybercriminal groups endangering U.S. institutions and firms.
Still, on the same issue, media houses were awash with reports that President Biden had asked Russian President Putin to make a genuine commitment towards putting an end to the cybercriminal activities emanating from Russian soil.
This follows the longstanding belief that the Russian government has always been reluctant to crack the whip on local-based threat groups as long as they did not target domestic institutions and companies. Worse still, various security experts had gone further to flag suspicions that the Russian government itself was guilty of sponsoring some of the most lethal cyberattacks in modern history.
Nonetheless, even with all the wild speculations that arose at the time, it was possible that the ransomware group had gone offline under their own volition as a strategy to mitigate the massive attention they were drawing from international law enforcement.
The possibility that REvil operators were also reconfiguring their operational strategy is real. They may have studied past events and thought it fit to suspend their cybercriminal activities before reappearing as a rebranded outfit looking to operate under the law enforcement radar.
At the time, Egnyte’s cybersecurity expert Neil Jones told CPO Magazine that REvil’s potency was not a thing to be underestimated. He advised organizations to keep their guard up in anticipation of ransomware attacks that would potentially cripple their operations and cause significant economic damages.
Overall, it was very difficult to know what exactly had happened to the REvil ransomware group as institutions and law enforcement agencies scrambled to bolster the existing cyber defences against the group’s possible return to action.
Return after a 2-Month Hibernation
REvil made its comeback barely two months following their successful hack against Kaseya in July. Cybersecurity analysts confirmed that the dark web servers for the ransomware operation got switched back on after the two-month break.
Then, no one had a clear idea whether the ransomware gang was back in action, or the reappearance happened to be a law enforcement action to gather evidence.
The events elicited excitement across various cybersecurity circles, with an underground intelligence commentator and Recorded Future author sharing a screenshot of the now-operational REvil’s data leak site called Happy Blog via Twitter (See below).
In addition, the cyber news site Bleeping Computer reported that a new victim entry was made by REvil operators on July 8 following the cyberattack by the group. The new platform went on to intimate that the Tor negotiation website was also back online.
However, unlike the fully functional Happy Blog, REvil’s Tor negotiation site was reportedly not fully operational at the time. Bleeping Computer discovered that while users could view the login screen, they couldn’t log in to the site.
While speaking to ZDNet, ransomware guru Allan Liska commented that REvil’s return was expected – although it was predicted that the ransomware group would make a comeback under a different business name and a new ransomware type.
The ransomware expert went on to associate the ransomware gang’s disappearance with their need to disappear from the law enforcement radar following their aggressive cyberattacks that had gotten the full attention of the world.
Importantly, Liska pointed out that REvil’s return whilst retaining their group name was was going to be a liability in the long term. He pegged his argument on the expectation that law enforcement agencies and cyber researchers were definitely going to keep probing for information concerning the planned activities of REvil operators.
As fate would have it, the cybersecurity expert’s remarks would get vindicated because the authorities have finally managed to knock the ransomware group online.
With what has happened with REvil before, there’s no telling whether this is the end for one of the most powerful ransomware families in recent history. Perhaps, as observed by a number of cybersecurity analysts, REvil will metamorphose into another gang by changing tactics and making a return to the ransomware industry.
Indeed, it is not difficult to imagine that REvil operators will let go of the ransomware trade that has since grown into a multibillion-dollar industry as reported by cyber investigators. The findings also show that most of the spoils made in the illicit trade are typically shared among a small number of organized threat groups.
About 85 percent of American critical infrastructure is controlled by the private sector, which explains why firms such as Colonial Pipeline would get hit by a bunch of hackers. The assumption is that privately-owned organizations are not obligated to adhere to stringent cybersecurity protocols as required by the U.S. government.
As such, 2020 figures intimate that that the total amount of ransom that was paid by ransomware victims to threat actors hit the $350 million in digital currency – the numbers account for a 311 percent rise in the value of ransom paid to cybercriminals when compared to the year 2019.