REvil-Gruppe: Allegedly offline again because of compromise by FBI & Co.

Share your love

The extortion group REvil was hacked by law enforcement authorities as part of a transnational action and therefore went offline again. This is reported by the Reuters news agency, which probably explains why the group once again disappeared from the scene this week. According to this, the FBI, together with other US security agencies and organizations from other countries, succeeded in compromising backups of the REvil group and thus turning a cybercriminal tactic against them. A more aggressive approach by the state actors was therefore responsible for the success.

Reuters appeals to the report to statements from three cybersecurity experts, some of whom were named, including those from VMWare and Group-IB, as well as an unnamed ex-official. They stated that a friendly state had succeeded in hacking into REvil’s infrastructure in the course of responding to the Kaseya attack. At least some of the attackers’ servers were brought under control and then the backups were probably also infected. REvil then suddenly went offline, but reported back using the backups without knowing that law enforcement authorities would have access again. This approach was the cybercriminals’ favorite tactic, explains Oleg Skulkin from Group-IB. Now the group has been pushed out of the network again.

The successful attack on one of the most dangerous ransomware groups was therefore also preceded by a change in strategy by the US government. In early summer, the US Department of Justice decided that investigations into cases of such extortion Trojans should be considered relevant to national security. Since then, they have been treated with the priority otherwise reserved for terrorist investigations. That was the legal basis to involve secret services and the US military. “Before you could not hack these forums and the military did not want anything to do with it, after that the velvet gloves were taken off”, explains Tom Kellermann from VMWare.

Read Also   Black Hat USA 2021: Improving gender balance in IT security teams

The escalation started with the perfidious attack on Kaseya at the beginning of July. Using a vulnerability in the IT service provider’s software, the group attacked hundreds of Kaseya customers in one fell swoop. For a “universal decryption tool” to save the data, they immediately asked for 70 million US dollars in Bitcoin. It later became known that the FBI had obtained the key through access to the cybercriminals’ servers in Russia, which would have helped the victims immensely. In preparation for a major strike against REvil, however, the key had been withheld. The big counter-blow never happened because REvil suddenly disappeared from the scene. The key was then handed over to Kaseya a few days later – three weeks after the capture.

[Update 22.10.21 12:07 Uhr:] The REvil group had also stolen numerous documents from the Apple manufacturer Quanta Computer from Taiwan and tried to blackmail the iPhone group. Ultimately, blueprints for the new MacBook Pro models ended up online. Among other things, it was announced in advance that the machines will have more connections again, including MagSafe 3.


(mho)

Article Source

Share your love