REvil ransomware gang allegedly forced offline by law enforcement counterattacks

by Paul Ducklin

According to Reuters, the REVil ransomware operation was “hacked and forced offline this week by a multi-country operation”.

Reuters writes that one of its sources claims that the hack-back against this notorious ransomware crew was jointly achieved thanks to the combined efforts of the FBI, the US Cyber Command, the Secret Service “and like-minded countries”, though it stopped short of identifying those allies by name.

We’ve seen the FBI mount a successful hack-back operation before, in the aftermath of the Colonial Pipeline ransomware attack that disrupted fuel supplies in the United States.

Colonial first said it wouldn’t pay the $4.4 million blackmail demand from the attackers; then admitted it had paid the money after all; then found it had mis-spent its funds when the decryption tool offered by the crooks was simply too slow to do the job…

…only to get 85% of its Bitcoins back later on, thanks to a court-authorised “retrieval of funds” pulled off by the FBI as follows:

Law enforcement was able to track multiple transfers of bitcoin and identify that approximately 63.7 bitcoins, representing the proceeds of the victim’s ransom payment, had been transferred to a specific address, for which the FBI has the “private key,” or the rough equivalent of a password needed to access assets accessible from the specific Bitcoin address.

Ransomware as a Service

The Colonial ransomware incident was attributed to a cybergang going by DarkSide, a criminal operation that Reuters describes as “developed by REvil associates.”

As you probably know, many ransomware operations these days don’t operate as a small, tightly closed groups, but rather as networks of so-called associates or affiliates in a criminal ecosystem dubbed RaaS, short for ransomware as a service.

A central team of coders creates the malware, collects the blackmail payments, handles decryption operations, and keeps an “agent’s fee” (typically an iTunes-like 30%) of every attack where the victim pays up.

A much larger crew of recruited affiliates sign up to be the mercenary soldiers of the RaaS operation, carrying out the necessary reconnaisance, intrusion, lateral movement and network takeover for a data-scrambling attack.

Each affiliate gang takes home 70% of the money extorted in any attack that it orchestrates.

Of course, recruiting more affiliates means more money for the crooks at the centre of it all, who are coining 30% of everything, but also means there are more ways for the overall operation to become inefficient, for bad blood to build up, for secrets to leak out, and for counter-intelligence operations to succeed.

Two months ago, for example, we wrote about tensions in the Conti ransomware operation that led to a disgruntled affiliate dumping a file called Мануали для работяг и софт.rar (Operating manuals and software), and denouncing the gang’s operators for cheating:

Yes, of course they recruit suckers and divide the money among themselves, and the boys are fed with what they will let them know when the victim pays.

The implication, clearly, was that affiliates in the Conti ransomware crew were not being paid 70% of the actual ransom amount, but 70% of an imaginary but lower number.

In contrast, the REvil gang was alleged recently to have started promising its affiliates 80% and even 90% payouts, perhaps in an attempt to regroup and rebuild in the face of increasing infiltration and counter-hacking attacks.

Hoist with their own petard?

According to Reuters, the REvil gang may have been caught out by a thorny problem that its own victims face when trying to recover a broken network from backup: how far back should you go?

If you go back too far, you risk restoring data that is pointlessly out of date, so that although your computers may start working again, your business won’t usefully be able to resume trading.

But if you don’t go back far enough, you risk restoring your network to a state where it was already fully compromised by the crooks, so there is little to stop the attackers steaming back in and doing it all over again.

Reuters suggests that a gang member known an 0_neday, who helped to get the REvil network running again after an outage last month, may inadvertently have brought back to life a bunch of internal servers that had already been compromised by law enforcement.

If this is how law enforcement did get back into the gang’s system, it’s a case of of what Shakespeare would have called “hoist with their own petard”.

Activting the Network Time Machine

Importantly, chasing down remote access holes that cybercriminals opened up in the course of an attack is a critical part of recovering from any network intrusion, whether that intrusion involved ransomware or not.

Our jocular name for this is activating the Network Time Machine, meaning that it’s not enough for cybersecurity responders such as the Sophos Managed Threat Response (MTR) team simply to identify and remove any malware that was directly related to the final attack.

You also need to rewind time to work out when the crooks first got in, and what sneaky and unauthorised network changes they made along the way.

After the Colonial Pipeline attack, for example, the Sophos MTR team reported that in three earlier incidents it had investigated where DarkSide had apparently been involved, the attackers had been scoping out the network and planning the ransomware denouement for 44 days, 45 days and 88 days respectively.

Backdoors left behind by cybercriminals don’t always involve technologically sophisticated hacking and malware tools that you can reliably hunt for using known IoCs (indicators of compromise). Crooks often hide in plain sight, for example by observing and learning your own network nomenclature, and manually creating bogus backdoor accounts that unexceptionably line up with your own naming standards. In fact, the crooks who broke in at the start if the intrusion might not even be the same gang that unleashed the final ransomware attack, because access to your network could have been sold on or “leased out” along the way between co-operating cybercrime crews.

What to do?

Even if the ransomware “brand” REvil now seems to be a spent force: [a] the alleged perpetrators haven’t actually been arrested, so there’s little to prevent them re-emerging under another name or joining another crew; [b] there are many other ransomware gangs already operating; and [c] ransomware is only one of many worrying cyberthreats out there.

So, our tips for defending against ransomware in particular, and cybercrime in general, include:

• Use layered protection. Given the considerable increase in extortion-based attacks, it’s more important than ever to keep the bad stuff out and the good stuff in. Modern cybercompromises often involve a lengthy attack chain, where the crooks advance their position in many stages to reduce the chance of being spotted. But a longer attack chain also means a longer kill chain, which is any point along the way where an early warning would give you the chance to detect and reverse the attack before its intended conclusion.
• Assume you will be attacked. Ransomware remains highly prevalent, even though the relative numbers are down from 51% last year to 37% this year. No industry sector, country, or size of business is immune. It’s better to be prepared but not hit, than the other way round.
• Make backups. Backups are the still the most useful way of recovering scrambled data after a ransomware attack that runs its full course. Even if you pay the ransom, you rarely get all your data back, so you’ll need to rely on backups anyway. (And keep at least one backup offline, and ideally also offsite, where the crooks can’t get at it.)
• Invest in managed threat response. If you have the time and expertise to do this yourself, prepare now. If not, consider identifying a trusted third party such as Sophos MTR or Sophos Rapid Response to do the groundwork for you. If you detect an attack half-way through, you need to displace the crooks completely from your network, not merely to remove and remediate the most recent sign of their activity.
• Read our 2021 State of Ransomware report. The figures tell an interesting and important story about the scale and the nature of the danger posed by ransomware. By reading the report, you’re getting an insight into what victims are experiencing in real life, not merely what the cybersecurity industry is saying about the threat.