RIP REvil? Notorious Russian cyber group reportedly taken down by law enforcement officials
In May, REvil attacked JBS and forced it to pay $11 million in ransom. The name REvil is an amalgam of the words Ransomware and Evil. REvil only provides RaaS (Ransomware as a service) and does not hack systems itself.
One of the world's most notorious ransomware gangs, REvil. has reportedly been taken down as part of a multi-nation security operation. The report also claims that law enforcement officials, cybersecurity experts from the US and other countries were behind taking control of the group's accounts.
Here's what happened:
Security expert Dmitry Smilyanets had earlier shared a post by a REvil operator in the XSS forum.
The post, by the username '0_neday', describes what's been going on with the group. He said only two members in the REvil gang, himself and another user named 'Unknown', had the REvil's domain keys. But Unknown has been inactive since July leading them to believe that he had died.
But someone mysteriously accessed the REvil domain using Unknown's credentials.
0_neday also alleged that the person who had accessed the domain were looking for him. They even deleted the path to his hidden service and created a new one so that he would walk into it and get caught.
The latest report confirms that the 'mysterious' access was by none other than law enforcement officials who later forced REvil's servers offline.
There are claims that REvil is state-sponsored by Russia, but its actions suggest otherwise.
Unlike state-sponsored groups, REvil is motivated by financial profits and flexing about the level of damage it can cause rather than slyly exfiltrating confidential data.
Incidentally, the group was reported to have been hacked and taken offline by law enforcement officials in July this year after an hour-long phone call between US President with his Russian counterpart Vladimir Putin. But turns out, the group did make a comeback later as predicted by News9.
Also Read: Is REvil really gone?
But there is another theory to this. The REvil incident in July could've been orchestrated by law enforcement officials.
"Its highly possible that the access to Revil servers were with the law enforcement since it went down in July," says TechniSanct CEO and Cybersecurity researcher Nandakishore Harikumar.
"We know that one of their guys is still active, If he is not arrested and servers and law enforcement officials don't go deep into the network, it is highly possible that the group would come back rebranded, as they have done before," he added.
REvil attack timeline: 2021
Revil had been upgrading its tools recently and has carried out at least one major attack every month between March and July this year.
In March this year, it attacked the Harris Foundation – affecting 37,000 students. The group also claimed to have attacked Acer in the same month.
In April, the group claimed to have stolen plans about Apple's upcoming product launches from Quanta computer and demanded $50 million.
In May, the same group attacked the world's largest meat processor JBS which ended up paying $11 million in ransom. Encryption software DarkSide allegedly developed by Revil, or its offshoot gang was also used in the Colonial Pipeline cyberattack that crippled gas supply in the U.S. East Coast.
In June, American power generation and operations company Invenergy was attacked and REvil claimed responsibility for it.
The biggest attack by the company was in July when it dropped its malware into hundreds of systems by infiltrating Kaseya desktop management software.
Just a few days later, on July 7, the gang attacked the systems of American weapons technology contractor HX5 which deals with the US Army, Navy, Air Force and NASA.
What is REvil? How does it operate?
REvil – an amalgam of Ransomware and Evil was the name under which a group of high-tech had been operating for the past couple of years.
Contrary to popular belief, groups like REvil only provide RAAS (Ransomware as a service) and do not hack systems themselves. They develop malware and offer it to affiliates who do the dirty work of installing it on the victim's system. Think of it like a drug lord hiring local peddlers to do the groundwork but in this case, the affiliates take home 80% of the earnings while groups like REvil keep the remaining 20%.