Governments push ransomware gang REvil offline: Sources

(Reuters) — The ransomware group REvil was itself hacked and forced offline this week by a multi-country operation, according to three private-sector cyber experts working with the United States and one former official.

Former partners and associates of the Russian-led criminal gang were responsible for a May cyberattack on the Colonial Pipeline that led to widespread gas shortages on the U.S. East Coast. REvil's direct victims include top meatpacker JBS. The crime group's “Happy Blog” website, which had been used to leak victim data and extort companies, is no longer available.

Officials said the Colonial attack used encryption software called DarkSide, which was developed by REvil associates.

VMWare head of cybersecurity strategy Tom Kellermann said law enforcement and intelligence personnel stopped the group from victimizing additional companies.

“The FBI, in conjunction with Cyber Command, the Secret Service and like-minded countries, have truly engaged in significant disruptive actions against these groups,” said Mr. Kellermann, an adviser to the U.S. Secret Service on cybercrime investigations. “REvil was top of the list.”

A leadership figure known as “0_neday,” who had helped restart the group's operations after an earlier shutdown, said REvil's servers had been hacked by an unnamed party.

“The server was compromised, and they were looking for me,” 0_neday wrote on a cybercrime forum last weekend and first spotted by security firm Recorded Future. “Good luck, everyone; I'm off.”

U.S. government attempts to stop REvil, one of the worst of dozens of ransomware gangs that work with hackers to penetrate and paralyze companies around the world, accelerated after the group compromised U.S. software management company Kaseya in July. That breach opened access to hundreds of Kaseya's customers all at once, leading to numerous emergency cyber incident response calls.

Following the attack on Kaseya, the FBI obtained a universal decryption key that allowed those infected via Kaseya to recover their files without paying a ransom.

But law enforcement officials initially withheld the key for weeks as it quietly pursued REvil's staff, the FBI later acknowledged. 

According to three people familiar with the matter, law enforcement and intelligence cyber specialists were able to hack REvil's computer network infrastructure, obtaining control of at least some of the servers.