Situation Report: US and allied cyber forces strike back against Russian ransomware hackers

A recent report by Reuters reveals good news: that there is an organized government/industry effort to address ransomware, at least one form of it that was deployed against industries in the United States throughout this past summer.

An organization called “REvil” (also known as “Sodinokibi”), which operates predominantly out of Russia, conducted a series of ransomware attacks that crippled important industries in the US and elsewhere. REvil’s members and associates developed an encryption software known as “DarkSide” to conduct “cryptoviral extortion” of its victims, seizing important data and holding it hostage while demanding a ransom in exchange for decryption.

REvil’s DarkSide ransomware was used on May 6^th against the operator of the Colonial Pipeline – one of America’s largest and most important infrastructures for the transportation of refined petroleum fuel products, such as gasoline, diesel, and jet fuels. The attackers seized 100 gigabytes of data from the company’s network in just two hours, halting the movement of fuel for days and threatening the fuel supply for nearly half of the United States.

Barely three weeks later, on May 30^th, REvil conducted an attack against JBS S.A., the world’s largest meat producer, first halting operations in Australia, and then in Canada and the United States (where JBS accounts for almost 25% of all beef capacity).

REvil struck again during America’s Independence Day holiday, conducting a “supply chain attack” by deploying their ransomware against a managed service provider (MSP). They timed the attack to take place when many Federal employees would be less accessible to assist their private sector partners with the response to this crippling hack. The victim, Kaseya VSA, is just one of many contracting companies that provide clients with IT support at a lower cost and with more expertise than many small businesses could afford by hiring their own IT personnel.

The perhaps better known SolarWinds hack similarly targeted a MSP although not for ransom.

The Kaseya attack was much further reaching and indiscriminate than the ones levied against Colonial and JBS since it affected hundreds of Kaseya’s customers simultaneously and triggered an overwhelming number of cyber incident response calls.

In its wake, the U.S. Government worked to assist attack victims, including employing the FBI to acquire a “universal decryption key” that rendered REvil’s ransom demands useless by enabling infected data to be recovered independently. While the FBI was criticized for waiting three weeks before publicly announcing this universal key (which would have saved victims many millions of dollars in data recovery costs), the Bureau apparently had been working on a plan to disrupt REvil and didn’t want the organization tipped off.

When REvil went offline in mid-July, some analysts assumed that the U.S. Government had lost its opportunity to take action against the group. Those assumptions seemed correct when REvil came back online on September 7^th, claiming that the FBI had only acquired the universal key because the hacker group accidently leaked it.

What the most recent Reuters report reveals, though, is that the U.S. Government and its partners had, in fact, succeeded in acting against REvil in late summer. Law enforcement and intelligence cyberwarfare personnel from the U.S., and our allies, had apparently gained control of servers owned by REvil. When the group went offline and backed them up, they did not realize those servers had been compromised.

When the group re-emerged last month and brought their servers back online, they soon recognized that they had been hacked by the authorities, forcing them to again halt their malicious operations.

“The FBI, in conjunction with Cyber Command, the Secret Service, and like-minded countries, have truly engaged in significant disruptive actions against these groups,” said Tom Kellermann, an adviser to the US Secret Service on cybercrime and head of cybersecurity strategy at VMware.

Apparently, REvil did not heed one of the most important defenses against the very ransomware attacks they perpetrate – keeping reliable server backups unconnected from main networks, thus enabling authorities to hack the hackers.