Back in April, the REvil ransomware group hacked into Mac assembler Quanta to reveal 2021 MacBook Pro designs ahead of the launch. Now REvil has itself been hacked in an FBI-led operation, in partnership with the Secret Service and law enforcement agencies in multiple countries.
Law enforcement gained control of a number of REvil servers in an operation designed to prevent further attacks, and to pursue individuals involved in running the ransomware group …
Background
Ransomware group REvil said in April that it had hacked into systems belonging to Apple supplier Quanta Computer and obtained internal engineering schematics for a number of then-unreleased new products. It backed this claim by sharing examples, which initially revealed nothing new.
REvil first attempted to blackmail Quanta for $50M in return for not making the files available to the public, and subsequently tried the same thing with Apple.
When this failed, REvil went ahead and released schematics that revealed the new ports found in the 2021 MacBook Pro. The schematics were proved accurate when the machines were launched with the MagSafe, HDMI, and SD card slot I/O shown.
REvil ransomware group hacked by FBI
Reuters reports that the FBI and other law enforcement agencies have now turned the tables on the group.
The ransomware group REvil was itself hacked and forced offline this week by a multi-country operation, according to three private sector cyber experts working with the United States and one former official […] The crime group’s “Happy Blog” website, which had been used to leak victim data and extort companies, is no longer available […]
VMWare head of cybersecurity strategy Tom Kellermann said law enforcement and intelligence personnel stopped the group from victimizing additional companies.
“The FBI, in conjunction with Cyber Command, the Secret Service and like-minded countries, have truly engaged in significant disruptive actions against these groups,” said Kellermann, an adviser to the U.S. Secret Service on cybercrime investigations. “REvil was top of the list.”
The actual attack is said to have been made by a cybersecurity team from “a foreign partner.” One of the individuals behind REvil confirmed that it took place.
A leadership figure known as “0_neday,” who had helped restart the group’s operations after an earlier shutdown, said REvil’s servers had been hacked by an unnamed party.
“The server was compromised, and they were looking for me,” 0_neday wrote on a cybercrime forum last weekend and first spotted by security firm Recorded Future. “Good luck, everyone; I’m off.”
In a delicious piece of irony, law enforcement used one of REvil’s own tactics against it. A common response to ransomware attacks that encrypt data is to restore from backup. REvil often injects code into the backups to frustrate this, and the FBI-led operation reportedly did the same with the group’s own backups. They took down a number of websites used by the group, and compromised the backups.
When gang member 0_neday and others restored those websites from a backup last month, he unknowingly restarted some internal systems that were already controlled by law enforcement.
“The REvil ransomware gang restored the infrastructure from the backups under the assumption that they had not been compromised,” said Oleg Skulkin, deputy head of the forensics lab at the Russian-led security company Group-IB. “Ironically, the gang’s own favorite tactic of compromising the backups was turned against them.”
