US, allied nations force REvil ransomware group offline: report

The United States and other nations earlier this week in a joint operation hacked and forced offline the REvil cyber criminal group, which has been linked to several major ransomware attacks this year.

Reuters reported Thursday citing multiple officials and private sector experts that the FBI, U.S. Cyber Command, the Secret Service, and the governments of other unnamed nations had breached servers used by REvil to carry out attacks in an effort to disrupt their operations.  

The Hill reached out to the FBI, U.S. Cyber Command, and the Cybersecurity and Infrastructure Security Agency (CISA) for comment. 

REvil was linked by the FBI in July to the ransomware attack against IT group Kaseya, which impacted up to 1,500 companies, and earlier in the year to the ransomware attack on meat producer JBS USA.

This is the second time REvil has been taken offline, with the group’s websites going dark shortly after the attack on Kaseya in July. The websites were taken down prior to a planned operation against them led by the FBI, which chose to withhold a decryption key from Kaseya and other groups impacted by the attack while the operation was pursued. 

According to Reuters, when several members of the REvil hacker group restarted the websites last month from a backup, they unknowingly restarted systems that law enforcement had already gained access to.  

“The REvil ransomware gang restored the infrastructure from the backups under the assumption that they had not been compromised,” Oleg Skulkin, deputy head of the forensics lab at the Russian-led security company Group-IB., told Reuters. “Ironically, the gang’s own favorite tactic of compromising the backups was turned against them.”

REvil is one of several Russian cybercriminal groups that have become a national security threat in recent months.

The DarkSide ransomware group was linked to the ransomware attack on Colonial Pipeline in May that led to gas shortages in multiple states, and a coalition of federal agencies warned earlier this week that the BlackMatter ransomware group targeting the agriculture sector could be a rebrand of DarkSide. 

Bloomberg News reported Wednesday that the Russian-based Evil Corp. cyber group was behind the ransomware attack on Sinclair Broadcast Group, an attack that continues to disrupt some operations at the company’s 185 owned and operated news stations. 

The Biden administration has taken numerous steps to confront the increasing ransomware attacks against critical groups, which have also included schools, hospitals, and government agencies.

President Biden urged Russian President Vladimir Putin to crack down on cybercriminals based in Russia during their in-person meeting in June, and last week the White House hosted an international meeting on ransomware that involved leaders from other 30 countries. Russia was not invited to participate in the meeting. 

The Justice Department set up a ransomware task force and recently announced a program to go after federal contractors who fail to report cyber incidents to the U.S. government. It also successfully recovered the majority of the $4.4 million in Bitcoin paid by Colonial Pipeline to the hackers in May. 

“We need to use all of the tools that we can to disrupt malicious cyber activity,” Deputy Attorney General Lisa Monaco said at the virtual Aspen Institute Cyber Summit earlier this month.