Hacking News

Take Down Top Ransomware hacker group REvil with a hack of Their own

According to a Reuters report, the government has successfully hacked hacking group REvil, the entity behind the ransomware linked to leaked Apple leaks, attacks on enterprise software vendors and more. Sources in the outlet reveal that the FBI, Secret Service, Cyber ​​Command and organizations in other countries have worked together this month to take the group’s operations offline. The group’s dark web blog, which exposed information derived from its targets, is also reportedly offline.

Reports of the group going offline began to surface earlier this week, with TechCrunch writing that its Tor website was unavailable on Monday. There was speculation of a hack, which was said by a forum post by one of the group’s suspected leaders that its servers were “compromised”, but at the time, it was unclear who was responsible. Reuters, citing sources, said the government’s operation against ransomware hackers, including Revil, is still ongoing.

 

THE US HAS BEEN TURNING THE SCREWS ON RANSOMWARE GROUPS

The US is slowly cracking down on groups linked to ransomware, as attacks become more and more costly for companies (one company reportedly paid a $40 million ransom to restore its operations). The Treasury pushed forward sanctions that made it harder to convert hacked machines into cash, and the Justice Department in its announcement several times cited the effects of ransomware as a team to investigate crimes committed by cryptocurrency exchanges.

The high-profile or high-impact nature of Reville’s attacks has put a lot of heat on him. It is responsible for an attack on an Apple supplier that leaked plans for the MacBook it launched this week, as well as attacks on massive meat processor JBS, IT management software developer Kasya, Travelex, and Acer. The group was named by the US Treasury’s Financial Crimes Enforcement Network as one of the largest ransomware groups in terms of reported payments.

REvil ransomware group

REVIL IS ONE OF THE LARGEST RANSOMWARE GROUPS, ACCORDING TO THE TREASURY

Revil has gone offline before — its site disappeared from the dark web in July after the FBI said the group was responsible for bringing down JBS, the company responsible for a fifth of the world’s meat supply.

It’s always possible that the group could return, though trying to recover from going down in July, which opened it up to US attacks in the first place. According to Reuters sources, one of the members of the group restored the backup and inadvertently involved the system being compromised by law enforcement. A Russian security expert tells Reuters that infecting backups is a tactic commonly used by Revil itself.

EXCLUSIVE Governments turn tables on ransomware gang REvil by pushing it offline

Ransomware group Revil was hacked this week by a multi-country operation and forced to go offline, according to three private sector cyber experts working with the United States and a former official.

Former associates and allies of the Russian-led criminal gang were responsible for the May cyber attack on the Colonial Pipeline, which led to the U.S. There was a widespread gas shortage on the east coast. Direct victims of Reville include top meatpacker JBS (JBSS3.SA). The crime group’s “Happy Blog” website, which was used to leak victims’ data and recover from companies, is no longer available.

Officials said the Colonial attack used encryption software called Darkside, which was developed by Reville allies.

Tom Kellerman, head of VMWare’s (VMW.N) cybersecurity strategy, said law enforcement and intelligence personnel prevented the group from hunting down additional companies.

“The FBI, in collaboration with Cyber ​​Command, the Secret Service and like-minded nations, has taken significant disruptive action against these groups,” said Kellerman, a US Secret Service adviser on cybercrime investigations. “Reville was at the top of the list.”

A leadership figure known as “0_neday”, who previously helped restart the group’s operations after the shutdown, said that Reville’s servers had been hacked by an unidentified party.

“The servers were compromised, and they were looking for me,” 0_neday wrote on a cybercrime forum late last week and was first spotted by security firm Recorded Future. “Good luck, everyone, I’m off.”

The U.S. government attempts to stop Revil, one of dozens of ransomware gangs working with hackers to break into and paralyze companies around the world, the group launched in July in the U.S. Accelerated after settlement with software management company Kasia.

That breach opened up access to hundreds of Kasia’s customers at once, leading to multiple emergency cyber incident response calls.

decryption key

After the attack on Kasia, the FBI obtained a universal decryption key that allowed those infected with Kasia to recover their files without paying a ransom.

But law enforcement officers initially held the key for weeks as it quietly pursued Reville’s employees, the FBI later acknowledged.

According to three people familiar with the matter, law enforcement and intelligence cyber experts were able to hack the infrastructure of Reville’s computer network, gaining control of at least some of their servers.

After the hacker group’s business websites went offline in July, the group’s main spokesperson, who calls himself an “anonymous”, disappeared from the Internet.

When gang member 0_neday and others restored those websites from backup last month, they inadvertently restarted some internal systems that were already controlled by law enforcement.

“The Revil ransomware gang restored infrastructure from backup under the assumption that they had not been compromised,” said Oleg Skulkin, deputy head of forensic labs at Russian-led security company Group-IB. “Ironically, the gang’s own favorite tactic of compromising backup was against them.”

Reliable backups are one of the most important defenses against ransomware attacks, but they must be kept unconnected to the main network or they may even be encrypted by extortionists like Revil.

A spokesman for the White House National Security Council declined to comment specifically on the operation.

“Broadly, we are looking at disrupting ransomware infrastructure and actors, working with the private sector to modernize our defenses, and creating an international coalition to hold countries that have paid ransomware across the entire spectrum of government ransomware.” Trying,” said the person. .

The FBI declined to comment.

A person familiar with the incidents said a foreign partner of the US government carried out a hacking operation that penetrated Reville’s computer architecture. A former US official, who spoke on condition of anonymity, said the operation is still active.

Kellerman said the success stemmed from US Deputy Attorney General Lisa Monaco’s determination that ransomware attacks on critical infrastructure should be treated as a national security issue similar to terrorism.

In June, Principal Associate Deputy Attorney General John Carlin told Reuters that the Justice Department was scaling up its investigation of ransomware attacks on equal priority.

Such actions gave the Justice Department and other agencies a legal basis for seeking help from US intelligence agencies and the Defense Department, Kellerman said.

“Before, you couldn’t hack into these forums, and the military wanted nothing to do with it. Since then, the gloves have come off.”

Reporting by Joseph Main and Christopher Byng; Editing by Chris Sanders and Grant McCool

 

REvil ransomware group that hacked Apple designs has itself been hacked by the FBI

Back in April, the Revil ransomware group hacked into Mac assembler Quanta to reveal 2021 MacBook Pro designs ahead of launch. Now Reville has been hacked in an FBI-led operation in partnership with the Secret Service and law enforcement agencies in several countries.

Law enforcement gained control of several REvil servers in an operation designed to prevent further attacks and to chase down individuals involved in running the ransomware group…

background
Ransomware group Reville said in April that it had hacked systems belonging to Apple supplier Quanta Computer and obtained internal engineering schematics for several new products. It backed up this claim by sharing examples, which initially did not yield anything new.

Reville first attempted to blackmail Quanta in exchange for $50M, and later tried to do the same with Apple.

When that failed, Reville went ahead and released schematics that revealed the new ports found in the 2021 MacBook Pro. When the machines were launched with MagSafe, HDMI and SD card slot I/O, the schematics proved to be accurate.

FBI hacked the Revil ransomware group
Reuters reports that the FBI and other law enforcement agencies are now eyeing the group.

Three private sector cyber experts working with the United States and a former official […] used to leak victims’ data and pay ransoms to companies is no longer available […]

Tom Kellerman, head of VMWare cybersecurity strategy, said law enforcement and intelligence personnel prevented the group from hunting down additional companies.

“The FBI, along with Cyber ​​Command, the Secret Service, and like-minded countries, have actually taken significant disruptive action against these groups,” said Kellerman, a US Secret Service adviser on cybercrime investigations. “Reville was at the top of the list.”

The actual attack is said to have been carried out by a cyber security team from “a foreign partner”. One of the individuals behind REvil confirmed that this had happened.

A leadership figure known as “0_neday”, who previously helped restart the group’s operations after the shutdown, said that Reville’s servers had been hacked by an unidentified party.

“The servers were compromised, and they were looking for me,” 0_neday wrote on a cybercrime forum last weekend and was first spotted by security firm Recorded Future. “Good luck everyone; I’m leaving.”

In a delicious piece of irony, law enforcement used one of Reville’s own tactics against it. A common response to ransomware attacks that encrypt data is to restore from a backup. Reville often injects code into backups to frustrate it, and the FBI-led operation reportedly did the same with the group’s own backups. They removed many of the websites used by the group, and compromised backups.

When gang member 0_neday and others restored those websites from backup last month, they inadvertently restarted some internal systems that were already controlled by law enforcement.

“The Revil ransomware gang restored infrastructure from backup under the assumption that they had not been compromised,” said Oleg Skulkin, deputy head of forensic labs at Russian-led security company Group-IB. “Ironically, the gang’s own favorite tactic of compromising backup was against them.”

3 Comments