Government Agents Compromise REvil Backups to Force Group Offline

Written by

The US authorities appear to have scored another win in their fight against ransomware by forcing the infamous REvil group offline. Experts have warned that there could be repercussions for former breach victims.

One former official and three private-sector cybersecurity experts confirmed to Reuters that an international operation was responsible for taking the group’s data leak site “Happy Blog” offline a few days ago.

Government specialists managed to compromise some of the group’s backups so that when it restarted services after another outage in July, they were already in the hands of law enforcement.

Although official sources declined to comment, the White House has been ramping up the pressure on ransomware actors since the Colonial Pipeline outage in May, an attack that REvil-linked DarkSide group carried out.

REvil and its affiliates were responsible for the monumental supply chain attack on Kaseya and many others, amassing a fortune in the process.

The Biden administration launched a DoJ Ransomware and Digital Extortion Task Force in April and signaled its intent to treat these offenses as they would terrorist attacks.

Jake Williams, CTO at BreachQuest, said news of the REvil take-down has been circulating in closed threat intelligence groups for several days.

The leader of the group, “Unknown,” disappeared in July, with Williams suggesting it’s likely either they or a close conspirator were arrested and forced to provide access to the group’s infrastructure.

However, he warned that there might be more pain in store for previous victims of REvil affiliates that have had data stolen in “double extortion” attacks.

“These affiliates stay in line and don’t release [exfiltrated] data because doing so would remove them from future work with the core group, effectively their cash cow. As work from REvil is clearly drying up now, affiliates will need new sources of revenue,” Williams argued.

“It won’t be surprising to see stolen data sold on the dark web. I anticipate that some organizations who believed their data was safe because they paid an REvil ransom are in for a rude awakening.”

What’s hot on Infosecurity Magazine?