Feds Reportedly Hacked REvil Ransomware Group and Forced it Offline

The Russian-led REvil ransomware gang was felled by an energetic multi-nation regulation enforcement procedure that resulted in its infrastructure becoming hacked and taken offline for a 2nd time before this 7 days, in what is actually the most current action taken by governments to disrupt the profitable ecosystem.

The takedown was initial claimed by Reuters, quoting many personal-sector cyber specialists functioning with the U.S. governing administration, noting that the May cyber assault on Colonial Pipeline relied on encryption software package made by REvil associates, officially corroborating DarkSide’s connections to the prolific legal outfit.

Automatic GitHub Backups

Coinciding with the growth, blockchain analytics company Elliptic disclosed that $7 million in bitcoin held by the DarkSide ransomware group were being moved as a result of a collection of new wallets, with a tiny fraction of the volume getting transferred with each and every transfer to make the laundered money much more tough to keep track of and transform the money into fiat currency through exchanges.

On Sunday, it emerged that REvil’s Tor payment portal and info leak web page experienced been hijacked by unknown actors, with a member affiliated with the operation stating that “the server was compromised and they have been wanting for me,” main to speculations of a coordinated law enforcement involvement.


The ever more effective and worthwhile ransomware economic climate has been generally characterised by a complicated tangle of partnerships, with ransomware-as-a-support (RaaS) syndicates this sort of as REvil and DarkSide leasing their file-encrypting malware to affiliate marketers recruited as a result of online forums and Telegram channels, who launch the attacks towards company networks in exchange for a substantial share of the compensated ransom.

This support model lets ransomware operators to make improvements to the products, while the affiliates can emphasis on spreading the ransomware and infecting as many victims as achievable to produce an assembly line of ransom payouts that can then be split involving the developer and on their own. It is really well worth noting these affiliate marketers could also convert to other cybercriminal enterprises that supply initial entry through persistent backdoors to orchestrate the intrusions.

“Affiliates commonly invest in company entry from [Initial Access Brokers] for cheap and then infect individuals networks with a ransomware merchandise earlier received by the operators,” Digital Shadows mentioned in a report revealed in Could 2021. “The increase of these threat actors in addition to the developing significance of RaaS versions in the danger landscape implies an growing professionalization of cybercriminality.”

REvil (aka Sodinokibi) shut down for the initially time in mid-July 2021 adhering to a string of substantial-profile attacks aimed at JBS and Kaseya earlier this calendar year, but the crew staged a formal return in early September under the identical model identify, even as the U.S. Federal Bureau of Investigation (FBI) stealthily planned to dismantle the threat actor’s malicious routines with no their awareness, as claimed by the Washington Publish final month.

“The REvil ransomware gang restored the infrastructure from the backups less than the assumption that they experienced not been compromised,” Group-IB’s Oleg Skulkin was quoted as saying to Reuters. “Ironically, the gang’s personal favourite tactic of compromising the backups was turned in opposition to them.”

Fibo Quantum