An operation led by the United States in connection with other countries has made it possible to disconnect the activities of the gang behind the Revil ransomware. This coalition had managed to infiltrate the infrastructure of the group of cybercriminals.
We know a little more about the forced disappearance of the gang behind the Revil ransomware (also known as Sodinokibi) announced this week. According to Reuters, which cites sources familiar with the matter, it is the work of a coalition of several states led by the United States (the FBI, the American Cyber Command and the Secret Service). This joint operation was carried out in two stages. The first took place in July just after the Kaseya affair, where the gang had claimed responsibility for hacking several companies via an as yet unpatched flaw in the VSA IT infrastructure administration tool. The group then demanded a global ransom of 70 million dollars.
Some time later, Revil had disappeared from the radars and a universal decipherer for the victims of the Kaseya hack had been published. The origin of this precious sesame was revealed a few weeks later: an FBI operation (the federal office had kept the decryptor for 3 weeks to carry out its action). Then in early September, members of Revil reactivated the gang’s servers to resume their nefarious activity.
Caught in their own trap
But the problem, as Oleg Skulkin, deputy director of the forensic laboratory of the Russian security company Group-IB, told Reuters, “the ransomware group Revil restored the infrastructures from backup on the assumption that they had not been compromised”. And to add “ironically, the gang’s favorite tactic of attacking backups has backfired”.
Earlier this week, the gang went out of business again after taking over the Tor payment portal and the group’s data breach blog. One of its members indicated in a forum that an unidentified third party had compromised a server by using the private keys of a former actor of the gang, named “Unknow”. Before disappearing, this member asked affiliates to contact him for decryption keys for ransomware campaigns, via Tox (an open network protocol for instant messaging, voice over IP and video conferencing). This case shows that the war against ransomware can win some battles if international cooperation works.