back to article Unhappy customers and their own tricks used against them, REvil ransomware gang reportedly pulled offline by 'multi-country' operations

As we noted a few days back, notorious ransomware gang REvil "disappeared" again this week. Recent reports have now shed light on why that may be. The REvil leaks blog, known as Happy Blog, was made inaccessible on October 17, the same day one of its operators announced the group was shutting down due to a hijacking of their …

  1. Pascal Monett Silver badge

    REvil's downfall

    If I'm not mistaken, it's only the servers and command structure that went down.

    There haven't been any arrests.

    So these people are free to set up a new command structure. I'm sure they have backups. They'll be back online shortly.

    I applaud the takedown obviously, but until those scum are in jail, they'll be back.

    1. Version 1.0 Silver badge
      Joke

      Re: REvil's downfall

      I'm guessing that law enforcement sent REvil a malware infection to take control of their systems, but I would bet that REvil have backups so let's watch out for the future, will a new gang called livER appear sending out app to run on systems to "prevent" infections called "Ma Lawer" ....

    2. General Purpose Bronze badge

      Re: REvil's downfall

      >They'll be back online shortly.

      But how will they prove they're genuine?

      1. DS999 Silver badge

        I'm Spartacus and so's my wife!

        I suppose if someone has been publicized as having a ransomware attack they might get third parties claiming the ransom should be paid to them, but unless they kept backups of their victim list the real ones might not know who to contact. Or for that matter have a working decryption key to provide!

      2. Anonymous Coward
        Anonymous Coward

        Re: REvil's downfall

        They'll do it by repeating the last good one, which got into Solarwinds, and this time they'll delete and trash everything instead of simply extracting the data.. And its going to suck like we've never seen.

    3. Snake Silver badge

      Re: REvil's downfall

      It would be reasonable to believe that they admin'ed their servers through an onion-routed interface, at least if they had a drop of intelligence they would have. This makes finding the humans behind the tech a lot harder, maybe if we give them more time to dive into the systems they penetrated we can hope for arrests in the future.

      1. Alan Brown Silver badge

        Re: REvil's downfall

        "This makes finding the humans behind the tech a lot harder"

        Harder, but not impossible. In some ways onion routing can make it easier to find your bad guys

    4. This post has been deleted by its author

  2. Anonymous Coward
    Anonymous Coward

    fight fire with fire

    I enjoy greatly how the law-enforcement agencies have taken to using conspiracy theories to undermine criminals 'creds'. It's quite hilarious to see gangs being frustrated by their customers' distrust towards gangs' legitimacy after 'resurrection', PLUS those, totally anonymous, unhappy reviews. Ironically, as with any conspiracy theories, it's impossible to separate facts from fiction (ever!) and refute the theories, and I'm pretty sure law-enforcement agencies had a finger in sowing this mistrust.

    1. Sixtiesplastictrektableware

      Re: fight fire with fire

      Agree. Looks like the same old 'infiltrate the intruders' approach, though. Time honoured 'cause it always works.

      Well, it works after some trial and error. The formation of CSIS in Canadaland comes to mind.

      People taking it upon themselves to commit crimes for profit would appear to be quick to incite in the right/wrong company. Those that are bad at it, anyways.

  3. blue dragon

    OR...

    They abandoned everything and are in the planning phase to leverage the gigabyte master key theft. Just when we thought things were bad, in the words of the great scientist Sam Beckett; "Oh Boy"

  4. Clausewitz 4.0
    Devil

    Rhetoric

    It is all about rhetoric. They ramper their cyber capabilities while trying to take down the opponent's cyber capabilities.

    Luckily we have better brains and commanders around here. And encrypted backups.

    1. Alan Brown Silver badge

      Re: Rhetoric

      "Luckily we have better brains and commanders around here. And encrypted backups."

      Except we don't. Most of the time we barely have backups at all until 15 minutes after a need for them is proven and seagull manglement have had their shit blow up spectacularly in their own faces

  5. Blackjack Silver badge

    They meet on Zoom?

    That Zoom? The one that's not private or safe?

    That's kind of funny.

    1. Clausewitz 4.0
      Devil

      We shall suppose quasi-normal talks are held there. Important discussions are done always behind closed-doors, in-person. With "bluetooth" disabled.

    2. John Brown (no body) Silver badge

      Was it really Zoom or is Zoom just being used as a generic term for a video conference?

      Has Zoom been Hoovered? Or iPadded? (Yes, I've heard people refer to generic Android tablets as an "iPad", or generic mobile phones as an "iPhone")

  6. Patched Out

    Just deserts.

    It would be really great if the law enforcement team that managed to infiltrate their infrastructure also managed to encrypt all of their backups prior to shutting them down. Now THAT would be justice.

  7. Snake Silver badge

    "Notably without Russia"

    Big surprise. I was going to ask about Russia's involvement, expecting a "null" on that.

    1. Clausewitz 4.0
      Devil

      Re: "Notably without Russia"

      Notably, Russia was not called by the other belligerent parties. Russia alleges they sent over 40 requisitions of cyber-threats detected, but all unanswered from USA. Do you see the trap? No cooperation to disrupt operations from A, but they need to disrupt operations from B.

      1. WolfFan Silver badge

        Re: "Notably without Russia"

        No one believes what Russia alleges, in the unlikely event that there’s some truth to even one of those allegations, no one cares.

        1. Clausewitz 4.0
          Devil

          Re: "Notably without Russia"

          You usually do not need to believe in anyone. But you should believe in serious folks with physical material and already demonstrated capabilities.

  8. TrevorH

    After Kaseya it appears that REvil got out of the ransomware business. If the recent attacks on VoIP infrastructure are to be believed they've moved into plain extortion instead - "Send us 10 BTC or we will DDoS your business to death".

  9. HildyJ Silver badge
    Meh

    Nice but

    As anyone who has played can tell you, you can never win at Whack-a-Mole.

    The little victories are satisfying but until Russia gets irritated enough to jail or extradite the perps they will just keep popping back up.

    1. Alan Brown Silver badge

      Re: Nice but

      Yup.

      Most of this shit got kicked out of Ukraine some years back after tracebacks were demonstrated to the government and a simple ultimatum given of "stop this shit happening or you lose connectivity to the Tier 1 carriers"

      It's been similar in most countries where the gangs hang out. Russia is the big holdout because mafia management

  10. Bitsminer Bronze badge

    means and ways

    Reading the official Joint Statement of the 30 countries, there are some interesting quotes:

    ...uneven global implementation of the standards of the Financial Action Task Force (FATF) to virtual assets and virtual asset service providers (VASPs) creates an environment permissive to jurisdictional arbitrage by malicious actors...

    "Arbitrage" is an interesting word. Used by multi-national traders to make money on the differences between stock markets, commodity markets, and currency markets. Used by tax lawyers to make money reducing the taxes for corporate clients (hello Ireland, hello North Dakota), And used by national governments to influence their friends and rivals for access to markets, commodities, taxes and now virtual currencies.

    We will consider all national tools available in taking action against those responsible for ransomware operations threatening critical infrastructure and public safety.

    Since "all national tools" includes intelligence, enforcement, diplomacy, and armed forces (not necessarily in that order), the statement essentially draws a line in the sand beyond which any and all "tools" will be used against the malefactors. Naming the issues: "critical infrastructure" and "safety" defines the line. However, may I point out that my "critical infrastructure" (hello Starbucks) is not the same as your "critical infrastructure" (hello food supply chain).

    We will leverage diplomacy through coordination of action in response to states whenever they do not address the activities of cybercriminals.

    A bit of bureaucratic phrasing, but it means "if you don't go after your cybercriminals, we will go after you". With multi-national coordinated action. See above.

    I'm looking forward to hearing about how REvil was taken down.

    1. John Brown (no body) Silver badge

      Re: means and ways

      "I'm looking forward to hearing about how REvil was taken down."

      Possibly in a future Who, Me? or On Call episode? Or maybe someone pissed off the BOFH.

    2. katrinab Silver badge
      Meh

      Re: means and ways

      Starbucks sells food, which is pretty important if you want to stay alive.

      Sure there are other ways, and many people will argue better ways, to get food, but it is still part of the food distribution chain, and therefore critical national infrastructure.

      Even if you never go there, other people do, and that means they aren’t going where you go. If they did, your place might not be able to cope.

    3. Alan Brown Silver badge

      Re: means and ways

      > "if you don't go after your cybercriminals, we will go after you". With multi-national coordinated action. See above.

      Making it personal is indeed how you deal with "protected individuals" or gangs

      It's not just critical infrastructure. Making it hard for Russia to sell oil or otherwise earn crucial foreign exchange is a fast way of getting extra attention

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021