Russia-led ransomware gang REvil was brought down by an active multi-country law enforcement operation that resulted in its infrastructure being hacked and taken offline earlier this week, as part of the latest move taken by governments to disrupt the lucrative ecosystem.
The pullout was first reported by Reuters, citing several private sector cyber experts working with the US government, noting that May’s cyberattack on Colonial Pipeline relied on encryption software developed by REvil associates, officially corroborating DarkSide’s ties to the prolific criminal group.
Coinciding with the development, blockchain analytics firm Elliptic revealed that $ 7 million in bitcoin held by ransomware group DarkSide was transferred through a series of new wallets, with a small fraction of the amount being transferred with each transfer. to make laundered money more difficult to track and convert funds into fiat currency through exchanges.
On Sunday it emerged that REvil’s Tor payment portal and data breach website had been hijacked by unidentified actors, with a member affiliated with the operation saying “the server was compromised and they were looking for me “, which has led to speculation about a coordinated law. participation in law enforcement.
The increasingly prosperous and profitable ransomware economy is typically characterized by a complex web of partnerships, with ransomware as a service (RaaS) syndicates such as REvil and DarkSide leasing their file encryption malware to affiliates. recruited through online forums and Telegram channels. , who launch attacks on corporate networks in exchange for a significant chunk of the ransom paid.
This service model allows ransomware operators to improve the product, while affiliates can focus on spreading the ransomware and infecting as many victims as possible to create an assembly line of ransom payments which can then be divided between the developer and themselves. It should be noted that these affiliates may also look to other cybercriminal companies that offer initial access through persistent backdoors to orchestrate intrusions.
“Affiliates typically buy corporate access to [Initial Access Brokers] on the cheap and then infect those networks with a ransomware product previously obtained by carriers, ”said Digital Shadows in a report released in May 2021.“ The rise of these threat actors in addition to the growing importance of RaaS models in the threat landscape indicates an increasing professionalization of cybercrime. “
REvil (aka Sodinokibi) first closed in mid-July 2021 following a series of high-profile attacks targeting JBS and Kaseya earlier this year, but the crew staged an official comeback in early September under the same brand name, even as the US Federal Bureau of Investigation (FBI) stealthily planned to dismantle the threatening actor’s malicious activities without his knowledge, as the Washington Post reported last month.
“The REvil ransomware gang restored the infrastructure from the backups assuming they had not been compromised,” Group-IB’s Oleg Skulkin told Reuters. “Ironically, the gang’s preferred tactic of compromising the backups backfired.”