International Law Enforcement Operation Takes Down REvil Ransomware Gang’s Infrastructure

Share this article on:

In July 2021, the notorious REvil (Sodinokibi) ransomware gang appeared to have ceased operations, with both its Tor payment site and data leak blog suddenly going offline. The DarkSide ransomware operation also went quiet, leading many security experts to believe that the operators of the ransomware-as-a-service (RaaS) operations were laying low or that there had been a law enforcement takedown of their infrastructure. Some of the servers used by the REvil gang were brought back online temporarily but were shut down again in mid-October. This temporary resurrection was thought to be an affiliate attempting to continue the operation.

The apparent shutdown of the REvil operation followed two major attacks on the food production company JBS and the software management company Kaseya, with the later attack affecting around 50 managed service providers and up to 1,500 downstream businesses. Associates of the REvil gang had developed the DarkSide ransomware variant, which was used in the attack on Colonial Pipeline and caused its fuel pipeline to the Eastern seaboard of the United States to be shut down for a week. While ransomware had always posed a threat to critical infrastructure, these attacks made it clear that critical infrastructure was certainly not off-limits for ransomware gangs.

After the attacks, the White House announced more resources would be made available to deal with the ransomware threat, with the attacks elevated to a level similar to terrorism. President Biden met with Russian President Vladimir Putin and urged him to take action against ransomware gangs operating within its borders, and the United States has been working with cybersecurity leaders to discuss other cybersecurity initiatives to mitigate the threat. As part of the ongoing efforts to deal with the ransomware threat, earlier this month President Biden announced the United States would be participating in a meeting with leaders in more than 30 countries to combat ransomware.

REvil Operation Targeted by Law Enforcement

It has now become clear that the shutdown of the REvil operation was the result of an international law enforcement effort, according to a recent Reuters report. Tom Kellerman, VMWare’s head of cybersecurity strategy and advisor to the US Secret Service said, “The FBI, in conjunction with Cyber Command, the Secret Service, and like-minded countries, have truly engaged in significant disruptive actions against these groups.”

REvil emerged in 2019 as an offshoot of the GandCrab ransomware operation and soon became the most prolific ransomware group, accounting for 73% of all ransomware detections in Q2, 2021. When it came to taking action against these groups, “REvil was top of the list”, said Kellerman.

In July, before the REvil gang went dark, law enforcement gained access to some of its network infrastructure and servers, with Kellerman confirming law enforcement had prevented attacks on several companies. Mimicking the actions of the REvil gang, law enforcement also compromised its backups. The REvil gang attempted to restore its servers from backups in the belief that they had not been compromised, but the restored infrastructure was under the control of law enforcement.

One of the leaders of the REvil operation who is known as “0_neday”, recently posted on a cybercrime forum confirming an unnamed party had compromised its servers and claimed, “They were looking for me… Good luck, everyone; I’m off.”

The shutdown almost certainly spells the end of the REvil operation; however, when takedowns occur, it is common for ransomware gangs to simply rebrand and start a new operation. The affiliates that have signed up for RaaS operations often jump ship and sign up with other RaaS operations, so while REvil was a major operator, it does not mean that ransomware attacks will slow. After news of the takedown emerged, members of other ransomware gangs posted online showing solidarity with the REvil operation. One member of the Groove operation called for other ransomware groups to respond to the takedown and increase their attacks on targets in the United States.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On