Christopher Bing and Joseph Menn

(Reuters) – According to three former officials and cyber specialists working for the United States, ransomware group REvil had its website hacked.

Russian-led criminal gangs were responsible for the May cyberattack against the Colonial Pipeline, which caused severe gas shortages in the U.S. East Coast. REvil’s Happy Blog website is now unavailable. It was used to leak victim data and exort companies.

Officials claim that DarkSide was an encryption program used by the Colonial attackers. It was developed and maintained by REvil collaborators.

Tom Kellerman, VMWare’s head of cybersecurity strategy, stated that law enforcement personnel and intelligence personnel prevented the group from committing additional crimes against other companies.

“The FBI, in conjunction with Cyber Command, the Secret Service and like-minded countries, have truly engaged in significant disruptive actions against these groups,” said Kellerman, an adviser to the U.S. Secret Service on cybercrime investigations. “REvil was top of the list.”

The leader known as “0_neday,” who helped to restart operations following an earlier shutdown of the group, claimed REvil’s servers had already been compromised by an unknown party.

“The server was compromised. They were looking for my identity,” 0_neday said on a cybercrime forum last week and was first spotted in Recorded Future’s database. All good luck; I’m going.

The U.S. government’s efforts to stop REvil (one of many ransomware gangs working with hackers to hack and paralyze businesses around the globe) were accelerated by the July compromise of Kaseya, an American software management company.

The breach gave Kaseya access to hundreds of Kaseya customer accounts at once. This led to multiple emergency cyber-incident response calls.

DECRYPTION-KEY

The FBI obtained a universal key to decrypt files after the Kaseya attacks.

The FBI acknowledged that the FBI had initially kept the key secret for several weeks while it silently pursued REvil’s staff.

Three sources familiar with the situation claim that intelligence cyber-spys and law enforcement were able, according to reports, to hack REvil’s network infrastructure. This allowed them to take control at most of their servers.

The hacker group’s websites went down in July. Their main spokesperson, “Unknown,” has disappeared from the web.

Gang member 0_neday restored these websites to a backup, but he did not know that he was restarting internal systems which were controlled by law enforcement.

“The REvil ransomware gang restored the infrastructure from the backups under the assumption that they had not been compromised,” said Oleg Skulkin, deputy head of the forensics lab at the Russian-led security company Group-IB. “Ironically, the gang’s own favorite tactic of compromising the backups was turned against them.”

Backups that are reliable and can be trusted against ransomware attacks are an important defence. However, they should not be connected to the main network or could be encrypted by extortionists like REvil.

The White House National Security Council spokesperson declined to speak on this specific operation.

According to the source, “Broadly speaking we are undertaking a whole government ransomware initiative, including disrupting ransomware infrastructures and actors, working together with the private sectors to modernize and strengthen our defenses, as well building an international coalition that will hold ransom-agent countries accountable.”

The FBI refused to comment.

A person with knowledge of the event said that the hacking operation to penetrate REvil’s computer architecture was done by an American partner. An ex-official from the United States, speaking under anonymity, confirmed that the operation continues to be active.

Kellerman explained that this success was due to the determination of Lisa Monaco (U.S. Deputy attorney General) to treat ransomware attacks upon critical infrastructure as a national security problem similar in nature and to terroristic acts.

John Carlin, principal associate Deputy attorney general, stated to Reuters that the Justice Department had raised investigations into ransomware attacks from a similar priority in June.

Kellerman stated that such actions provided the Justice Department with a legal basis for seeking assistance from U.S intelligence agencies and Department of Defense.

“Before you could not hack into these forums and the military did not want anything to do it. “The gloves have been removed since then.”