Cybercrime , Cybercrime as-a-service , Fraud Management & Cybercrime

REvil Revelations: Law Enforcement Behind Disruptions

FBI, US Secret Service and US Cyber Command Target Ransomware Gangs, Reuters Reports
REvil Revelations: Law Enforcement Behind Disruptions
FBI Director Christopher Wray, appearing before a Senate committee last month, confirmed that the bureau and law enforcement partners had obtained a universal decryption key for REvil.

The outages of the notorious REvil - aka Sodinokibi - ransomware operation have been due to a coordinated law enforcement effort involving the U.S. and foreign partners, aimed at disrupting the group's attack capabilities, Reuters reports.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

"The FBI, in conjunction with Cyber Command, the Secret Service and like-minded countries, have truly engaged in significant disruptive actions against these groups," Tom Kellermann, head of cybersecurity strategy for VMWare and also a cybercrime investigations adviser to the U.S. Secret Service, tells Reuters. "REvil was top of the list."

Last week, the White House said known payments to ransomware attackers reached over $400 million globally in 2020 and topped $81 million in the first quarter of 2021.

REvil has been ranked among the biggest such threats. After first appearing in April 2019 as an offshoot of the GandCrab ransomware operation, REvil quickly became one of the most dominant and damaging strains of ransomware. But the operation's Happy Blog data leak site, where it names and shames victims, as well as its payment portal for victims to negotiate and pay a ransom, went dark in July, not long after two big hits.

On May 30, REvil-wielding attackers encrypted systems at the U.S. operations of Brazil-based meat processing giant JBS, which paid the attackers a ransom worth $11 million in exchange for a decryption key and a promise to not leak stolen data. On July 2, REvil unleashed an attack via IT remote management software built by Kaseya, used by managed service providers. In total, it hit about 1,500 organizations - collectively, customers of 50 different MSPs - and crypto-locked many of their systems.

A post to REvil/Sodinokibi's Tor-based "Happy Blog" data leak site following its attack on Kaseya

U.S. President Joe Biden has been marshalling increased resources to address the threat posed by ransomware in the wake of a string of such attacks, which have seen not just REvil but many other groups severely disrupt critical infrastructure not just in the United States but also in allied countries.

Experts say the effort to directly disrupt ransomware groups has been aided by the U.S. attorney general's office elevating its pursuit of ransomware to where it's now getting attention and resources equal to those given to counterterrorism. Legally speaking, this has given law enforcement agencies and government hacking teams greater latitude.

"Before, you couldn't hack into these forums, and the military didn't want to have anything to do with it," Kellermann said. "Since then, the gloves have come off."

At the same time, the Department of the Treasury has also been moving to restrict the flow of cryptocurrency funds to ransomware groups, to further disrupt the efficacy of this illicit business model.

Critical Sector Hits

Not just REvil, but other groups have been causing devastation. In May, Ireland's national health service was hit by Conti, sparking monthslong impact that disrupted medical care throughout the country. The same month, DarkSide hit Colonial Pipeline Co., which supplies 45% of the U.S. East Coast's fuel, leading the public to panic-buy gas. Colonial paid a ransom worth $4.4 million ransom to DarkSide, most of which the FBI managed to recover.

Pamela Clegg, director of education and investigations for blockchain analytics company CipherTrace, speaking at the annual Digital Investigations Conference hosted by Swiss digital investigations product reseller Arina in June, said that she had it "on good authority" that the FBI got access to the DarkSide bitcoin wallet via a private key to the wallet, found on a device that was seized by a foreign law enforcement agency before the Colonial Pipeline attack happened or any ransom got paid.

Free REvil Decryptor Released

Some security experts, including Emsisoft CTO Fabian Wosar, have previously noted that access to REvil's infrastructure by law enforcement - Reuters reports it wasn't the FBI, but a foreign partner - led to its obtaining a working decryption key for REvil.

FBI Director Christopher Wray in September confirmed a Washington Post report that the FBI had held onto this REvil decryption key for three weeks before allowing it to be shared with victims. Testifying before the Senate Homeland Security and Governmental Affairs Committee, Wray said the bureau didn't want to tip off attackers that it had gained some access to their infrastructure.

"There is a lot of testing and validating that is required to make sure that they are going to actually do what they're supposed to do," Wray said of the decryption keys. "And there's a lot of engineering that's required to develop the tool. … Sometimes we have to make calculations about how best to help the most people because maximizing the impact is always the goal and whenever we do that in these joint-enabled sequenced operations, we are doing it in conjunction with other government agencies and others."

Free decryptor for files encrypted by REvil/Sodinokibi prior to July 13, 2021 (Source: Bitdefender)

But law enforcement agenices did then share the key, as has been previously reported. That led to security firm Bitdefender last month being able to develop and release a free decryptor for almost all versions of REvil seen prior to its July disappearance.

REvil's First Reboot

White House and FBI officials have previously said that they didn't know why REvil went dark in July. Based on Wray's testimony - and the FBI's decision to withhold the universal decryption key it had obtained - this appeared to take the bureau by surprise.

Foreign law enforcement partners were instrumental in obtaining the REvil key, as well as the latest disruption, Reuters reports.

One of the core REvil administrators, who goes by "Unknown," has not posted on any cybercrime forums since July, security experts say.

Earlier this month, however, another supposed REvil core operator, who goes by "0_neday," announced in a post to the XSS cybercrime forum that the ransomware operation was once again up and running, and that the fate of Unknown remained unknown; possibly he was dead.

"After the July disruptions, it's believed that REvil reset the campaign keys used by each affiliate," says Jake Williams, CTO of Georgia-based incident response firm BreachQuest. He adds that 0_neday promised to give affiliates new campaign keys, so they could resume shaking down victims to pay, in return for the promise of a decryption key.

On Sunday, however, as Recorded Future first spotted, 0_neday announced that REvil's sites had been hijacked, that he would be at least temporarily taking them offline, and that someone was apparently "looking for" him.

"I checked the sites and found no signs of compromise," 0_neday said in his XSS posts. But he postulated that someone appeared to have obtained a full backup of REvil's Tor sites, including the private key needed to create the site.

Anyone in possession of such a key could launch their own version of a site, supplanting all previous versions. In other words, law enforcement officials could have substituted their own version of REvil's data leak site and payment portal, potentially to spy on and help identify administrators and affiliates (see: Ransomware Soap Opera Continues With REvil's Latest Outage).

After the July shutdown, the REvil ransomware gang restored the infrastructure from the backups under the assumption that it had not been compromised. Apparently, the backups had been, and so had been their private .onion service keys, Oleg Skulkin, deputy head of the forensics lab at the Russian-led security firm Group-IB, tells Information Security Media Group. "Ironically, the gang's own favorite tactic of compromising the backups was turned against them," he says.

Precisely how law enforcement agencies obtained the keys and backups remains unclear. "While the keys could potentially have been acquired purely through hacking back, it's hard to imagine that's the case given Unknown's disappearance as well," Williams says. "The obvious conclusion is that it's likely Unknown - or a close co-conspirator - was arrested, though the arrest may have been enabled via hacking-back operations."

Backstabbing Leads to Fallout

Law enforcement and disappearing leadership aren't REvil's only problems. Ransomware-as-a-service operations such as REvil rely on affiliates to take their malware and infect victims, which they do in return for a share of any resulting profit from a ransom payment. Typically, an affiliate gets to keep 70%. But reverse-engineering experts at a cybercrime forum found that until July, REvil's crypto-locking malware included a backdoor designed to help administrators cut affiliates out, so the operators could keep 100% of all profits.

Dealing with the obvious fallout, since its relaunch REvil had been offering affiliates a 90% cut, according to threat intelligence firm Digital Shadows.

But highly skilled affiliates are a hot commodity. "While tracking activity at the RaaS affiliate level remains a challenge, it seems clear that the affiliate diaspora from REvil has been absorbed by other large RaaS operations like Conti and LockBit 2.0," reports ransomware incident response firm Coveware. "LockBit 2.0 in particular seems to be pushing the RaaS model into new territories in order to attract the most talented affiliates. Specifically, the RaaS operation advertises greater transparency to affiliates and direct receipt of ransomware proceeds. It seems the rivalry between LockBit 2.0 and REvil compelled these changes."

Still Waiting for a Knockout Blow?

So, will REvil reboot yet again? While the group's infrastructure has been disrupted, it's not clear that it or all of its core members have been dealt a knockout blow.

"Even though REvil may not recover from this latest shutdown, it doesn't necessarily mean that they are going to stop malicious activities," says Group-IB's Skulkin. "This might just be an attempt to have a fresh start under a different name for a new round of high-value cyber heists. We've seen such a scenario with DarkSide, DoppelPaymer and Avaddon."

As yet, at least some high-value REvil capabilities also don't seem to have been obtained by law enforcement agencies. "It seems unlikely at this point that the U.S. government has a master key for REvil," Williams says. "After the backlash over not releasing the campaign key used in the Kaseya attack, it's hard to believe the government would risk more negative publicity. Individual affiliates may release their campaign keys, but it seems doubtful at this time that the core REvil group will."

If the group attempts to again restore operations, it faces the prospect of more coordinated attempts by a coalition of 30 countries' law enforcement and intelligence agencies to disrupt its efforts, following on the heels of their previous success.

"This unequivocally good news is an example of the way cooperating governments can impose cost on ransomware actors," says Allan Liska, an intelligence analyst at threat intelligence firm Recorded Future. "Will they regroup and launch a new ransomware? Probably. But this kind of aggressive action makes other ransomware groups think twice."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.