REvil ransomware gang allegedly forced offline by law enforcement counterattacks
According to Reuters, the REvil ransomware operation was “hacked and forced offline this week by a multi-country operation”.
Reuters writes that one of its sources claims the hack-back against this notorious ransomware crew was achieved thanks to the combined efforts of the FBI, the US Cyber Command, the Secret Service “and like-minded countries”, though it stopped short of identifying those allies by name.
We’ve seen the FBI mount a successful hack-back operation before, in the aftermath of the Colonial Pipeline ransomware attack that disrupted fuel supplies in the United States.
Colonial first said it wouldn’t pay the $4.4 million blackmail demand from the attackers; then admitted it had paid the money after all; then found it had mis-spent its funds when the decryption tool offered by the crooks was simply too slow to do the job…
…only to get 85% of its Bitcoins back later on, thanks to a court-authorised “retrieval of funds” pulled off by the FBI as follows:
Law enforcement was able to track multiple transfers of bitcoin and identify that approximately 63.7 bitcoins, representing the proceeds of the victim’s ransom payment, had been transferred to a specific address, for which the FBI has the “private key,” or the rough equivalent of a password needed to access assets accessible from the specific Bitcoin address.
Ransomware as a Service
The Colonial ransomware incident was attributed to a cybergang going by DarkSide, a criminal operation that Reuters describes as “developed by REvil associates.”
As you probably know, many ransomware operations these days don’t operate as small, self-contained groups, but rather as networks of so-called associates or affiliates in a criminal ecosystem dubbed RaaS, short for ransomware as a service.
A central team of coders creates the malware, collects the blackmail payments, handles decryption operations, and keeps an “agent’s fee” (typically an iTunes-like 30%) of every attack where the victim pays up.
Clustered around the core are numerous recruited affiliates who sign up to be the mercenary soldiers of the RaaS operation, carrying out the necessary reconnaissance, intrusion, lateral movement, and network takeover for data-scrambling attacks.
Each affiliate gang takes home 70% of the money extorted in any attack that it orchestrates.
Hoist with their own petard?
According to Reuters, the REvil gang may have been caught out by a thorny problem that its own victims face when trying to recover a broken network from backup: how far back should you go?
If you go back too far, you risk restoring data that is pointlessly out of date, so that although your computers may start working again, your business won’t usefully be able to resume trading.
But if you don’t go back far enough, you risk restoring your network to a state where it was already fully compromised by the crooks, so there is little to stop the attackers steaming back in and doing it all over again.
Reuters suggests that a gang member known an 0_neday
, who helped to get the REvil network running again after an outage last month, may inadvertently have brought back to life a bunch of internal servers that had already been compromised by law enforcement.
If this is how law enforcement did get back into the gang’s system, it’s a case of of what Shakespeare would have called “hoist with their own petard”.
Activating the Network Time Machine
Importantly, chasing down remote access holes that cybercriminals opened up in the course of an attack is a critical part of recovering from any network intrusion, whether that intrusion involved ransomware or not.
Our jocular name for this is activating the Network Time Machine, meaning that it’s not enough for cybersecurity responders such as the Sophos Managed Threat Response (MTR) team simply to identify and remove any malware that was directly related to the final attack.
You also need to rewind time to work out when the crooks first got in, and what sneaky and unauthorized network changes they made along the way.
After the Colonial Pipeline attack, for example, the Sophos MTR team reported that in three earlier incidents it had investigated where DarkSide had apparently been involved, the attackers had been scoping out the network and planning the ransomware denouement for 44 days, 45 days, and 88 days respectively.
What to do?
Even if the ransomware “brand” REvil now seems to be a spent force: [a] the alleged perpetrators haven’t actually been arrested, so there’s little to prevent them re-emerging under another name or joining another crew; [b] there are many other ransomware gangs already operating; and [c] ransomware is only one of many worrying cyberthreats out there.
So, our tips for defending against ransomware in particular, and cybercrime in general, include:
- Use layered protection. Given the considerable increase in extortion-based attacks, it’s more important than ever to keep the bad stuff out and the good stuff in. Modern cyber compromises often involve a lengthy attack chain, where the crooks advance their position in separate stages to reduce the chance of being spotted. But a longer attack chain also means a longer kill chain, which is any point along the way where an early warning would give you the chance to detect and reverse the attack before its intended conclusion.
- Assume you will be attacked. Ransomware remains highly prevalent, even though the relative numbers are down from 51% last year to 37% this year. No industry sector, country, or size of business is immune. It’s better to be prepared but not hit than the other way round.
- Make backups. Backups are still the most useful way of recovering scrambled data after a ransomware attack that runs its full course. Even if you pay the ransom, you rarely get all your data back, so you’ll need to rely on backups anyway. (And keep at least one backup offline, and ideally also offsite, where the crooks can’t get at it.)
- Invest in managed threat response. If you have the time and expertise to do this yourself, prepare now. If not, consider identifying a trusted third party such as Sophos MTR or Sophos Rapid Response to do the groundwork for you. If you detect an attack halfway through, you need to displace the crooks completely from your network, not merely to remove and remediate the most recent sign of their activity.
- Read our 2021 State of Ransomware report. The figures tell an interesting and important story about the scale and the nature of the danger posed by ransomware. By reading the report, you’re getting an insight into what victims are experiencing in real life, not merely what the cybersecurity industry is saying about the threat.