CyberScoop reports that the REvil ransomware operation has been dismantled in January with the help of a "disgruntled internal source" upset with their earnings in relation to other affiliates.
Trellix Head of Threat Intelligence John Fokker noted in a report that researchers were able to better understand REvil's operations, as well as the way how it monitored associates, through screenshots of its backend pane shared by the aggrieved affiliate. The source revealed that infostealer logs, PowerShell scripts, RDPBrute, WinPEAS, ADFind, Cobalt Strike, and Mimikatz have been part of REvil's arsenal.
"This unprecedented finding was surprising, and we immediately packaged these findings together with additional analysis on individual members and the organizations communication channels in a 55-page report for global law enforcement," wrote Fokker.
The disruption of REvil indicates the importance of affiliate happiness among ransomware operators.
"It shows that if you're not paying your people, you're not paying what people think they're owed, the loyalty goes out the door," Fokker added.
A healthcare provider can have all the elements in place, but without context, prioritization of systems, and well-practiced incident response plan, the effectiveness of well-laid processes are limited.