The ransomware group REvil was itself forced offline this week by a multi-country operation, according to three private sector cyber experts working with the United States and one former official.
The Russian-led criminal gang was responsible for a May cyberattack on the US East Coast that led to widespread gas shortages on the Colonial Pipeline. REvil's Happy Blog website, which had been used to leak victim data and extort companies, is no longer available.
Officials said the Colonial attack used encryption software called DarkSide, developed by REvil associates.
Tom Kellerman, head of cybersecurity strategy at VMWare, said law enforcement and intelligence personnel stopped the group from victimizing additional companies.
The FBI, in conjunction with the Secret Service, the FBI and similar countries, have truly engaged in significant disruptive actions against these groups, said Kellerman, an adviser to the U.S. Secret Service on cybercrime investigations. REvil was top of the list. A leadership figure known as 0 neday, who had helped restart the group's operations after an earlier shutdown, said REvil's servers had been hacked by an unnamed party.
The server was compromised and they were looking for me, 0 neday wrote on a cybercrime forum last weekend and first spotted by security firm Recorded Future. US government attempts to stop REvil, one of the worst of dozens of ransomware gangs that work with hackers to penetrate and paralyze companies around the world, accelerated after the group compromised US software management company Kaseya in July.
That breach opened access to hundreds of Kaseya customers all at once, leading to numerous emergency cyber incident response calls.
Following the attack on Kaseya, the FBI obtained a universal decryption key that allowed infected via Kaseya to recover their files without paying a ransom.
But law enforcement officials initially acknowledged the key for weeks as it quietly pursued REvil's staff, the FBI later withheld the key.
According to three people familiar with the matter, law enforcement and intelligence cyber specialists were able to hack REvil's computer network infrastructure, obtaining control of at least some of their servers.
After websites that the hacker group used to conduct business went offline in July, the main spokesman for the group, who calls himself Unknown, vanished from the internet.
When gang member 0 neday and others restored those websites from a backup last month, he unknowingly restarted some internal systems that were already controlled by law enforcement.
The REvil ransomware gang restored the infrastructure from the backups under the assumption that they had not been compromised, said Oleg Skulkin, deputy head of the forensics lab at the Russian-led security company Group-IB. Ironically, the gang's own favorite tactic of compromising the backups was turned against them. Reliable backups are one of the most important defenses against ransomware attacks, but they must be encrypted from the main networks or they can be kept unconnected by extortionists such as REvil.
A spokesperson for the White House National Security Council declined to comment specifically on the operation.
Broadly speaking, we are undertaking a whole of government ransomware effort, including disruption of ransomware infrastructure and actors, working with the private sector to modernise our defences and building an international coalition to hold countries who harbour ransom actors accountable, the person said.
One person familiar with the events said that a foreign partner of the US government carried out the hacking operation that penetrated REvil's computer architecture. A former US official, who spoke on condition of anonymity, said the operation is still active.
The success stems from a determination by US Deputy Attorney General Kellerman that ransomware attacks on critical infrastructure should be treated as a national security issue akin to terrorism, Lisa Monaco said.
In June, Principal Associate Deputy Attorney General John Carlin told Reuters that the Justice Department was elevating investigations of ransomware attacks to a similar priority.
Such actions gave the Justice Department and other agencies a legal basis to get help from US intelligence agencies and the Department of Defense, Kellerman said.
Before, you couldn't hack into these forums, and the military didn't want anything to do with it. Since then, the gloves have come off.