The Russian-led REvil ransomware gang was felled by an active
multi-country law enforcement operation that resulted in its
infrastructure being hacked and taken offline[1]
for a second time earlier this week, in what’s the latest action[2]
taken by governments to disrupt the lucrative ecosystem.
The takedown was first reported by Reuters[3], quoting multiple
private-sector cyber experts working with the U.S. government,
noting that the May cyber attack[4]
on Colonial Pipeline relied on encryption software developed by
REvil associates, officially corroborating DarkSide’s connections[5]
to the prolific criminal outfit.
Coinciding with the development, blockchain analytics firm
Elliptic disclosed[6]
that $7 million in bitcoin held by the DarkSide ransomware group
were moved through a series of new wallets, with a small fraction
of the amount being transferred with each transfer to make the
laundered money more difficult to track and convert[7]
the funds[8]
into fiat currency through exchanges.
On Sunday, it emerged that REvil’s Tor payment portal and data
leak website had been hijacked by unidentified actors, with a
member affiliated with the operation stating that “the server was
compromised and they were looking for me,” leading to speculations[9]
of a coordinated law enforcement involvement.
The increasingly successful and profitable ransomware economy
has been typically characterized by a complex tangle of
partnerships, with ransomware-as-a-service (RaaS) syndicates such
as REvil and DarkSide renting their file-encrypting malware to
affiliates recruited through online forums and Telegram channels,
who launch the attacks against corporate networks in exchange for a
large share of the paid ransom.
This service model allows ransomware operators to improve the
product, while the affiliates can focus on spreading the ransomware
and infecting as many victims as possible to create an assembly
line of ransom payouts that can then be split between the developer
and themselves. It’s worth noting these affiliates may also turn to
other cybercriminal enterprises that offer initial access[10] via persistent
backdoors to orchestrate the intrusions.
“Affiliates typically buy corporate access from [Initial Access
Brokers] for cheap and then infect those networks with a ransomware
product previously obtained by the operators,” Digital Shadows
said[11] in a report published
in May 2021. “The rise of these threat actors in addition to the
growing importance of RaaS models in the threat landscape indicates
an expanding professionalization of cybercriminality.”
REvil (aka Sodinokibi) shut down[12] for the first time in
mid-July 2021 following a string of high-profile attacks aimed at
JBS[13] and Kaseya[14] earlier this year, but
the crew staged a formal return in early September under the same
brand name, even as the U.S. Federal Bureau of Investigation (FBI)
stealthily planned to dismantle the threat actor’s malicious
activities without their knowledge, as reported by the Washington
Post.
“The REvil ransomware gang restored the infrastructure from the
backups under the assumption that they had not been compromised,”
Group-IB’s Oleg Skulkin was quoted as saying to Reuters.
“Ironically, the gang’s own favorite tactic of compromising the
backups was turned against them.”
References
- ^
taken
offline (thehackernews.com) - ^
latest
action (thehackernews.com) - ^
Reuters
(www.reuters.com) - ^
May
cyber attack (thehackernews.com) - ^
connections
(www.trendmicro.com) - ^
disclosed
(www.elliptic.co) - ^
convert
(thehackernews.com) - ^
the
funds (thehackernews.com) - ^
speculations
(www.flashpoint-intel.com) - ^
offer
initial access (thehackernews.com) - ^
said
(www.digitalshadows.com) - ^
shut
down (thehackernews.com) - ^
JBS
(thehackernews.com) - ^
Kaseya
(thehackernews.com)