A priori, it was not a case of willful scuttling to disappear or to defraud affiliates by not paying them on the basis of the ransoms obtained. According to Reuters, the ransomware group REvil was the victim of a hacking operation carried out by several countries.
According to sources familiar with the matter cited by the news agency, the FBI has Acted in conjunction with the US cyber army and secret services, as well as law enforcement agencies in other countries to penetrate REvil’s infrastructure and gain control of some of their servers.
REvil had experienced its first summer shutdown, as a universal decryptor for ransomware attacks had mysteriously emerged and attributed to a partner in law enforcement. However, the group’s infrastructure resurfaced in September.
This feedback came with the help of a REvil operator known as 0_neday who recently posted on a forum about hacking frequented by cyber criminals from the compromise of servers by an unidentified third party. “ The server has been compromised and they are looking for me. Good luck; I am retiring. ”
Such compromised backups …
0_neday notably mentioned the obtaining by this person of the private keys of the Tor hidden services of the REvil group and with access to the backups of the infrastructure . These backups had been used to restart REvil operations.
“ The REvil ransomware gang restored the infrastructure from the backups on the assumption that they were not ‘had not been compromised. Ironically, the gang’s favorite tactic of compromising backups backfired , “comments Oleg Skulkin of Russian cybersecurity firm Group-IB.
The transaction against REvil is reportedly still ongoing. Remember that the REvil group is often presented as Russian-speaking.