- FBI Launches offensive hacking campaign targeting the rEvil ransomware gang
- Vector was a backdoor implanted in an earlier operation
- rEvil was responsible for 4.6% of ransomware attacks in Q1 this year
- rEvil members have been forced to disappear
- Rival ransomware gang has called for unity amongst cybercriminals to attack US public sector
Who is rEvil?
One of the most notorious ransomware gangs. in Q1 this year they accounted for 4.6% of all ransomware attacks, some of their biggest hits include stealing Macbook schematics from a taiwanese manufacturer, hacking JBS (the worlds’ largest meat supplier), and most notably the Kaseya ransomware attack in which remote management software used by thousands of organisations was compromised, leading to an unprecedented situation in which (according to revil’s own numbers) 1 million computers were held to ransom.
The FBI's Wager
During the Kaseya ransomware attack perpatrated by rEvil the FBI procured a set of decryption keys for victims. We now know that the FBI refrained from publishing the keys for almost 3 weeks after procuring them, throwing the victims under the bus so as to not tip rEvil off to the FBI's larger plan.
Following the Kaseya ransomware attack, rEvil vanished. They ran somewhere....
In early September rEvil reappeared, intent on resuming operations. But they made one fatal flaw on their return. They restored from backups - backups which had been compromised by the FBI in their earlier operation to nab the decryption keys, as a result the FBI was in control of some of rEvil's infrastructure.
The FBI hasn't made public the methods by which they hacked rEvil's systems.
Spooked, rEvil members have seemingly disappeared into the ether. Fearing they may be next, other ransomware gangs have reacted, in particular the Darkside and blackmatter gangs have been moving large chunks of their bitcoin in a possible sign they may be looking to cash out, approximately $6.8m worth has been shifted thus far.
The groove ransomware gang has posted some strong words on their dark web site. As translated by bleepingcomputer:
"In our difficult and troubled time when the US government is trying to fight us, I call on all partner programs to stop competing,
unite and start xxcking up the US public sector, show this old man who is the boss here who is the boss and will be on the Internet
while our boys were dying on honeypots, the nets from rude aibi squeezed their own... but he was rewarded with higher and now he will go to jail for treason, so let's help our state fight against such ghouls as cybersecurity firms that are sold to amers, like US government agencies, I urge not to attack Chinese companies, because where do we pinch if our homeland suddenly turns away from us, only to our good neighbors - the Chinese! I BELIEVE THAT ALL ZONES IN THE USA WILL BE OPENED, ALL xxOES WILL COME OUT AND xxCK THIS xxCKING BIDEN IN ALL THE CRACKS, I myself will personally make efforts to do this" - Groove ransomware.
Is this one group throwing a tantrum, or... Begun the ransomware wars have?