On Sunday, it was revealed that REvil’s Tor payment portal and data leak website had been hacked by unknown actors, with one of the operation’s members claiming that “the server was breached and they were hunting for me,” leading to rumors of a concerted law enforcement effort.
The Russian-led REvil ransomware gang was brought down by a multi-country law enforcement operation earlier this week which saw its infrastructure hacked and taken offline for the second time in the latest government action to disrupt the valuable ecosystem.
The takedown was first reported by Reuters, which referenced multiple private-sector cyber experts working with the US government as saying that the May cyber attack on Colonial Pipeline used encryption software developed by REvil associates, confirming DarkSide’s ties to the criminal organisation.https://platform.twitter.com/widgets.js
Elliptic, a blockchain analytics firm discovered that the DarkSide ransomware group moved $7 million in bitcoin through a series of new wallets, with a small fraction of the total amount transferred with each transfer to make the illegal money more difficult to track and convert into fiat currency through exchanges.
Ransomware-as-a-service (RaaS) syndicates like REvil and DarkSide rent their file-encrypting malware to affiliates recruited via online forums and Telegram channels, who then launch attacks on corporate networks in exchange for a large share of the paid ransom.
“Ransomware has increasingly taken centre stage this year, as it has disrupted global supply chains .Despite not always being a very sophisticated attack method, it achieves notoriety because of its real-world impact. A combination of network analysis to identify the tell-tale signs of a ransomware attack, robust back-ups to aid recovery, and cross-country coordinated takedowns will be the key to stemming the flow of successful ransomware attacks in the future.” Forbes told to Threatpost(Thirdparty Cybersecurity site).
Last month, the Washington Post reported that the U.S. Federal Bureau of Investigation (FBI) held back from sharing the decryptor with the victims of Kaseya ransomware attack for nearly three weeks, which it obtained from accessing the group’s servers, as part of a plan to disrupt the gang’s malicious activities. “The planned takedown never occurred because in mid-July REvil’s platform went offline — without U.S. government intervention — and the hackers disappeared before the FBI had a chance to execute its plan.”
Group – Oleg 1B’s Skulkin concluded that, “The REvil ransomware gang restored the infrastructure from backups under the premise that they had not been compromised.” Ironically, the gang’s favoured strategy of compromising backups failed on them.