A US/Foreign Government Operation Hijacked the Servers of a Major Ransomware Gang

The U.S. Department of Defense’s internet-defending Cyber Command teamed with “a foreign government” in two operations which shut down a major overseas ransomware group by hijacking its servers, reports the Washington Post. Several U.S. officials told the Post the operation left the ransomware gang’s leaders “too frightened of identification and arrest to stay in business.”
“Domains hijacked from REvil,” wrote 0_neday, an REvil leader, on a Russian-language forum popular with cyber criminals, on October 17…. “The server was compromised,” he wrote hours later, “and they are looking for me.” And then: “Good luck everyone, I’m taking off.”

Soon after, REvil ceased operations, such as recruitment of affiliates, ransom negotiations and distribution of malware.

The Washington Post previously reported that REvil’s servers [“reachable only through Tor”] had been hacked in the summer, permitting the FBI to have access. The compromise allowed the FBI, working with the foreign partner, to gain access to the servers and private keys, officials said. The bureau was then able to share that information last month with the U.S. Cyber Command, enabling the hijacking, they said… Cyber Command leader, General Paul Nakasone, said at the Aspen Security Forum on Wednesday that while he wouldn’t comment on specific operations, “we bring our best people together … the really good thinkers” to brainstorm ways to “get after folks” conducting ransomware attacks and other malign activities. “I’m pleased with the progress we’ve made,” he said, “and we’ve got a lot more to do.”

The group’s departure may be temporary. Ransomware gangs have been known to go underground, regroup and reappear, sometimes under a new name. But the recent development suggests that ransomware crews can be influenced — even temporarily — to cease operations if they fear they will be outed and arrested, analysts say. “The latest voluntary disappearance of REvil highlights the powerful psychological impact of having these villains believe that they are being hunted and that their identities will be revealed,” said Dmitri Alperovitch, executive chairman of the think tank Silverado Policy Accelerator and a cyber expert. “U.S. and allied governments should proudly acknowledge these cyber operations and make it clear that no ransomware criminal will be safe from the long reach of their militaries and law enforcement agencies….”

Recorded Future threat intelligence analyst Dmitry Smilyanets believes “REvil as a brand is done.”

And meanwhile, an anonymous Slashdot reader shares the news that German investigators “have identified a deep-pocketed, big-spending Russian billionaire whom they suspect of being a core member of the REvil ransomware gang,” according to Threatpost. “He lolls around on yachts, wears a luxury watch with a Bitcoin address engraved on its dial, and is suspected of buying it all with money he made as a core member of the REvil ransomware gang.”
The showy billionaire goes by “Nikolay K.” on social media, and German police are hoping he’ll cruise out of Russia on his next vacation — preferably, to a country with a cooperation agreement with Germany so they can arrest him. In case he decides to kick back somewhere other than sunny Crimea, they’ve got an arrest warrant waiting for him….

According to Reuters, which broke the news about last week’s law enforcement move against the gang, REvil’s also behind the Colonial Pipeline attack, as opposed to a culprit presumed to be a ransomware group named DarkSide.