Ransomware, Threat Management

Report: REvil ransomware group was forced offline

JBS was a high-profile victim of REvil earlier in 2021.  (Photo by Matthew Stockman/Getty Images)

REvil, the ransomware group responsible for such notorious attacks on JBS and Kaseya earlier this year, was forced offline this week by a multi-country operation, Reuters reported Thursday.

Quoting Tom Kellerman, head of cybersecurity strategy at VMWare, the news organization said the FBI, in conjunction with U.S. Cyber Command, the Secret Service and “like-minded countries, have truly engaged in significant disruptive actions against these groups.”

Last week, SC Media reported that REvil’s servers and leaks blog appeared to go dark. But unlike its disappearance from the web shortly after the Kaseya attack in July, the cause of REvil’s sudden vanishing seemed to be due to outside disruption instead of attempts by the ransomware gang to lay low. 

REvil returned online Sept. 11 by posting proofs of breaches on its “Happy Blog” leak site. But REvil’s servers had been hacked by an unknown party, an REvil leader known as “0_neday” posted to a cybercrime forum, according to Reuters. Restoring the sites appears to be REvil’s downfall, as Reuters reported that some of the internal systems had come under the control of law enforcement.

“Ironically, the gang's own favorite tactic of compromising the backups was turned against them,” Oleg Skulkin, deputy head of the forensics lab at Goup-IB, told Reuters.

A foreign partner of the U.S. government carried out the hacking operation that penetrated REvil’s computer architecture, an unattributed source told Reuters, while another unnamed source said the operation was still active.

Speculation that Kaseya had paid a ransom emerged shortly after the tech company began distributing a decryption key to its customers, a rumor the company denied

In September, Bitdefender announced the release of a free, universal decryption key to restore files of victims of past REvil attacks, saying it created the tool in conjunction with an unnamed law enforcement partner.

The Washington Post later reported that the FBI had access to the decryption key for weeks before handing it over to Kaseya because they were planning to use it to disrupt the group’s operations, a move that angered some lawmakers.

The FBI and a spokesperson for the White House National Security Council declined to comment to Reuters.

Stephen Weigand

Stephen Weigand is managing editor and production manager for SC Media. He has worked for news media in Washington, D.C., covering military and defense issues, as well as federal IT. He is based in the Seattle area.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.