The Russian-led REvil ransomware gang was felled by an active multi-country law enforcement operation that resulted in its infrastructure being hacked and taken offline for a second time earlier this week, in what’s the latest action taken by governments to disrupt the lucrative ecosystem.
The takedown was first reported by Reuters, quoting multiple private-sector cyber experts working with the U.S. government, noting that the May cyber attack on Colonial Pipeline relied on encryption software developed by REvil associates, officially corroborating DarkSide’s connections to the prolific criminal outfit.
Coinciding with the development, blockchain analytics firm Elliptic disclosed that $7 million in bitcoin held by the DarkSide ransomware group were moved through a series of new wallets, with a small fraction of the amount being transferred with each transfer to make the laundered money more difficult to track and convert the funds into fiat currency through exchanges.
On Sunday, it emerged that REvil’s Tor payment portal and data leak website had been hijacked by unidentified actors, with a member affiliated with the operation stating that “the server was compromised and they were looking for me,” leading to speculations of a coordinated law enforcement involvement.
The increasingly successful and profitable ransomware economy has been typically characterized by a complex tangle of partnerships, with ransomware-as-a-service (RaaS) syndicates such as REvil and DarkSide renting their file-encrypting malware to affiliates recruited through online forums and Telegram channels, who launch the attacks against corporate networks in exchange for a large share of the paid ransom.
This service model allows ransomware operators to improve the product, while the affiliates can focus on spreading the ransomware and infecting as many victims as possible to create an assembly line of ransom payouts that can then be split between the developer and themselves. It’s worth noting these affiliates may also turn to other cybercriminal enterprises that offer initial access via persistent backdoors to orchestrate the intrusions.
“Affiliates typically buy corporate access from [Initial Access Brokers] for cheap and then infect those networks with a ransomware product previously obtained by the operators,” Digital Shadows said in a report published in May 2021. “The rise of these threat actors in addition to the growing importance of RaaS models in the threat landscape indicates an expanding professionalization of cybercriminality.”
REvil (aka Sodinokibi) shut down for the first time in mid-July 2021 following a string of high-profile attacks aimed at JBS and Kaseya earlier this year, but the crew staged a formal return in early September under the same brand name, even as the U.S. Federal Bureau of Investigation (FBI) stealthily planned to dismantle the threat actor’s malicious activities without their knowledge, as reported by the Washington Post last month.
“The REvil ransomware gang restored the infrastructure from the backups under the assumption that they had not been compromised,” Group-IB’s Oleg Skulkin was quoted as saying to Reuters. “Ironically, the gang’s own favorite tactic of compromising the backups was turned against them.”