An international group of intelligence agencies, including the FBI, has taken REvil off the net. REvil is the gang behind, among other things, the Kaseya attack that affected more than a thousand companies.
The cyber gang’s sites went offline last week, marking the second time since the gang became notorious for some significant ransomware attacks. In addition, a user linked to the gang, O_neday, reported on forums that REvil’s payment portal and blog had been hacked. According to Reuters, this was the work of police forces in multiple countries, who used REvil’s own strategies against the gang by infecting backups of the site and blog.
REvil has been one of the more notorious cyber gangs in recent months. She is linked, among other things, to the attack on the American energy company Colonial Pipeline. Still, She is also said to have hacked a law firm that represents music stars such as Lady Gaga, U2 and Madonna. The gang’s heaviest attack, however, was against IT company Kaseya. That creates tools for remote management, and in this way, the gang was able to hit more than a thousand companies, including some Belgian ones.
A few weeks after the hack, Kaseya was given a universal key to the ransomware, which the FBI is now known to have been obtained. So law enforcement had access to REvil’s servers and kept the key for 19 days in an attempt to trap the gang. That didn’t work at that time; the gang disappeared shortly after the Kaseya hack.
However, when rebooting servers for the gang’s reintroduction, 0_neday would also have revived police loopholes and malware, Oleg Skulkin of security firm Group-IB told Reuters. That way, the gang would now be taken off the net ‘for real’, although little prevents the actual members from starting over under a different name.