U.S. markets close in 2 hours 17 minutes
  • S&P 500

    +71.04 (+1.55%)
  • Dow 30

    +313.55 (+0.90%)
  • Nasdaq

    +310.39 (+2.00%)
  • Russell 2000

    +15.30 (+0.68%)
  • Crude Oil

    +2.98 (+4.37%)
  • Gold

    -2.70 (-0.15%)
  • Silver

    -0.31 (-1.35%)

    -0.0046 (-0.41%)
  • 10-Yr Bond

    +0.0390 (+2.63%)

    -0.0038 (-0.29%)

    +0.4070 (+0.36%)

    +5,025.11 (+9.36%)
  • CMC Crypto 200

    +39.66 (+2.78%)
  • FTSE 100

    +65.92 (+0.94%)
  • Nikkei 225

    -467.70 (-1.63%)

REvil, a Russian ransomware operation, shut down because of hackers

·4 min read

REvil, a Russian-language ransomware gang, has suspended operations for the second time in recent months, this time because the group itself was compromised.

REvil’s leaks blog, called the Happy Blog, went offline on Oct. 17. On the same day, a REvil member announced that the group was shutting down on a Russian-language hacking forum because its domain had been hijacked. The REvil member said someone had used the private Tor keys of the group’s former spokesperson, “Unknown,” to access REvil’s domain.

REvil previously suspended operations in mid-July after President Joe Biden called on Russian President Vladimir Putin to crack down on cybercriminals in his country.

In late May, REvil attacked Brazil-based meat processing giant JBS and received an $11 million ransom for a decryption key so the company could recover data that the ransomware group had encrypted. And in early July, the group compromised remote management software from Kaseya, leading to ransomware-related compromises at about 1,500 organizations.

In a blog post, Cybersecurity firm Flashpoint called REvil’s recent suspension of operations an “unexpected turn” because the group was recently recruiting new affiliates. REvil’s decision to shut down set off a debate on the XSS Russian hacking forum, with a member of the LockBit ransomware gang suggesting REvil's reemergence in September was part of an FBI operation to catch REvil affiliates.

“Something is rotten in the state of ransomware,” another XSS forum member wrote.

It’s unclear who compromised REvil’s domain or if REvil’s description of the compromise is accurate. There was some speculation among cybersecurity experts that the reported compromise was part of a law enforcement or government counterhacking operation. Still, no government agency has taken credit for the attack on REvil.

Attribution for the reported attack on REvil will be difficult, said Dana Wills, an information security consultant for Asteros, a cybersecurity vendor. "In this case, with Russia under pressure to act, threats from the U.S. government to take down the group, incentives of rival hacking groups, and possible insider threats within the organization, it may never be known exactly who is responsible,” she told the Washington Examiner.

Even if one major ransomware group has been taken down permanently, other groups are still out there, she added. “As long as ransomware pays out, hacking groups will continue to profit from it,” she said. “Existing groups will undoubtedly fill any vacuum left by REvil.”

“I believe this is a ruse,” said Richard Blech, CEO of XSOC Corp., an encryption vendor. “REvil has orchestrated they're going dark to evade pursuit and give the impression that they have been compromised or shut down.”

REvil will likely reemerge as a new ransomware group and “once again wreak havoc,” Blech told the Washington Examiner. “They have all the know-how necessary to be back at it again under a new skin.”

REvil’s recent recruitment of affiliates, which appears to be ongoing, suggests the group will be back in some form, added Austin Merritt, a cyber threat intelligence analyst for Digital Shadows, a cybersecurity vendor.

“In the short term, it appears to be good news that REvil has had some of their infrastructures disrupted because it has prompted the group to remain offline,” he told the Washington Examiner. “However, the group continues its recruitment of affiliates and has alluded to the possibility of returning later this year with new recruits.”

Meanwhile, organizations can take several steps to protect against ransomware. Merritt said that companies should create backups of critical data and ensure that they can easily access the backups after a ransomware attack. In addition, organizations should conduct cybersecurity risk audits and perform penetration testing to evaluate their cybersecurity, he said.

Employee education is also a big part of the defense against ransomware, added XSOC’s Blech. Organizations should train employees on cybersecurity situational awareness, he recommended.

“Education and training from top to bottom is a must so that all members of an enterprise know the do's and don'ts of how to handle sensitive data and access to their network,” he added.

Washington Examiner Videos

Tags: Cybersecurity, Technology, Russia, Ransomware attack, Computer Hacking

Original Author: Grant Gross

Original Location: REvil, a Russian ransomware operation, shut down because of hackers