Ransomware is big business for organized criminals, one that’s largely able to operate untouched. Despite our knowledge of these crimes, it’s been difficult to root out who’s doing what due to everything from virtual protections to international borders.
REvil is just one of hundreds of ransomware groups that have plagued the United States though they’ve ultimately caused untold damage all over the world.
Thankfully, governments are making headway when fighting back. According to multiple private sector cyber experts, there are multiple countries working together to take back stolen funds and prosecute ransomware gangs. While the details are still being uncovered, we look at how officials aren’t taking anything lying down.
Recent reports claim $6 million has been seized in cryptocurrency, a major coup for the government and a serious future crime deterrent.
A Network of Criminals
REvil is one of the most famous crime groups in cybersecurity. It directly infiltrated meatpacker JBS, but perhaps its most famous attack was indirectly pulled off by the group’s former partners. Past associates of REvil managed to cause massive gas shortages by attacking the Colonial Pipeline. Using the encryption software DarkSide, the crime group managed to extract millions of dollars in ransom payments.
The head of cybersecurity strategy at VMWare, Tom Kellerman, has worked with law enforcement and security personnel to stop further victims from being targeted and to identify criminals regardless of their location. The FBI, Secret Service, and other countries are taking serious action to disrupt the groups. REvil was at the top of the list.
The US had long been taking steps to combat these groups, but efforts accelerated in July of 2021 when REvil managed to hack into software management company Kaseya. This hack made hundreds of customers vulnerable and triggered a serious response from the government.
While the FBI did have a decryption key that could have been used to get the files back, agents decided to use the hack to their advantage. By strategically waiting to reveal the decryption key, they were able to hack at least part of REvil’s servers.
The efforts had one of the key leaders of the gang on the run. Known only as 0_neday, the criminal confirmed to a crime forum that the group’s servers were compromised and that government officials knew who they were after. The main spokesman for the group, a figure who calls themselves Unknown, has also vanished from view.
Turning the Tables
REvil had gotten away with a lot of crime without any detection, which likely left them believing they were invulnerable to authorities. 0_neday may have thought they were restoring the group’s websites, but instead, he was actually restarting internal systems controlled by law enforcement.
It’s clear the gang had assumed they weren’t compromised — otherwise they never would have tried restoring their infrastructure. Just as the criminals had relied on backups as a way into the network, so too did government officials and security professionals.
This was the crux of the hacks in the first place. People need to back up their work if they’re going to defend against a ransomware hacker. However, if those backups are completed through the organization’s main network, it opens everyone under the umbrella to a successful breach.
People need to back up their work if they’re going to defend against a ransomware hacker.
Look Who’s (Not) Talking
Comments from the Security Council and the FBI are few and far between. They are willing to confirm that ransomware is at the top of their radar though and that the government is working with the private sector to modernize their tactics. They’ve also confirmed that this is an international project to ensure that bad actors are held accountable.
There are reports though that a foreign partner of the US has a still-active operation to penetrate more of REvil’s architecture. Under the condition of anonymity, those familiar with the events are confident that the matters are being treated with the gravity they deserve. Lisa Monaco, Deputy Attorney General, said that what’s happening right now is akin to terrorism and thus requires the same degree of scrutiny.
Additional Takedowns and Coalitions
The Ransomware-as-a-Service (RaaS) portal BlackMatters, also known as a one-stop-shop where criminals can access cyber ransom software, recently shut down due to local authorities. This information came from a message on an RaaS portal. The poster confirmed that the ransomware gang would be shut down within 48 hours.
While the message doesn’t confirm exactly what happened, the event was tied to a discovery that linked the assumed creators of the software to the cybercrime group known as FIN7. From there, they connected the actors to a cybersecurity firm called Bastion Secure. FIN7 is also associated with DarkSide, meaning the REvil takedown was likely a contributing factor as well. These hackers may not all be working together, but it’s clear that there are associations between the major groups.
Conti, another malware group, also recently shifted its business objectives, which might be in preparation of being found out soon. While the group doesn’t seem to be backing down just yet, they are updating their blog to go after companies attacked by ransomware.
Finally, the UK recently formed its own cyber council to hunt down ransomware gangs. Director of intelligence agency GCHQ, said that Britain has seen a rise in attacks and the government is ready to go on the offensive. This would mean targeting and disabling operations under the UK’s National Cyber Force, a brand new command developed specifically to find criminals and stop them before they do any more damage. To that end, Britain was a part of the team that helped take down REvil.
When technology changes so quickly, the government’s ability to keep up can look comparatively sluggish. However, these events do confirm that progress is being made. The ransomware gangs may be able to operate from anywhere in the world but that doesn’t mean they can hide forever. Governments from every corner of the globe are prepared to throw resources in the game to ensure that everyone can stay safe online.
In the meantime, it’s imperative for your organization to stay vigilant in order to prevent a ransomware attack. To learn more about how Dataprise can help you with your overall cybersecurity strategy, contact us to set up a discovery call.
Interested in gauging your cyber posture? Take our short Cyber Hygiene Assessment today and receive personalized recommendations from our experts.