Governments turn tables on ransomware gang REvil by pushing it offline

1 / 2
US officials talk about the Colonial Pipeline ransomware attack during a news conference in Washington, D.C. on June 7, 2021. (REUTERS/File Photo)
2 / 2
Short Url
Updated 22 October 2021

Governments turn tables on ransomware gang REvil by pushing it offline

  • Law enforcement and intelligence cyber specialists were able to hack REvil's computer network infrastructure, obtaining control of at least some of their servers
  • One person familiar with the events said that a foreign partner of the US government carried out the hacking operation that penetrated REvil's computer architecture

The ransomware group REvil was itself hacked and forced offline this week by a multi-country operation, according to three private sector cyber experts working with the United States and one former official.
Former partners and associates of the Russian-led criminal gang were responsible for a May cyberattack on the Colonial Pipeline that led to widespread gas shortages on the US East Coast. REvil's direct victims include top meatpacker JBS. The crime group's "Happy Blog” website, which had been used to leak victim data and extort companies, is no longer available.
Officials said the Colonial attack used encryption software called DarkSide, which was developed by REvil associates.
VMWare head of cybersecurity strategy Tom Kellermann said law enforcement and intelligence personnel stopped the group from victimizing additional companies.
"The FBI, in conjunction with Cyber Command, the Secret Service and like-minded countries, have truly engaged in significant disruptive actions against these groups,” said Kellermann, an adviser to the US Secret Service on cybercrime investigations. “REvil was top of the list.”
A leadership figure known as "0_neday," who had helped restart the group's operations after an earlier shutdown, said REvil's servers had been hacked by an unnamed party.
"The server was compromised, and they were looking for me," 0_neday wrote on a cybercrime forum last weekend and first spotted by security firm Recorded Future. "Good luck, everyone; I'm off."
US government attempts to stop REvil, one of the worst of dozens of ransomware gangs that work with hackers to penetrate and paralyze companies around the world, accelerated after the group compromised US software management company Kaseya in July. 
That breach opened access to hundreds of Kaseya's customers all at once, leading to numerous emergency cyber incident response calls.

Decryption key
Following the attack on Kaseya, the FBI obtained a universal decryption key that allowed those infected via Kaseya to recover their files without paying a ransom.
But law enforcement officials initially withheld the key for weeks as it quietly pursued REvil's staff, the FBI later acknowledged. 
According to three people familiar with the matter, law enforcement and intelligence cyber specialists were able to hack REvil's computer network infrastructure, obtaining control of at least some of their servers.
After websites that the hacker group used to conduct business went offline in July, the main spokesman for the group, who calls himself "Unknown," vanished from the internet.
When gang member 0_neday and others restored those websites from a backup last month, he unknowingly restarted some internal systems that were already controlled by law enforcement.
“The REvil ransomware gang restored the infrastructure from the backups under the assumption that they had not been compromised,” said Oleg Skulkin, deputy head of the forensics lab at the Russian-led security company Group-IB. “Ironically, the gang's own favorite tactic of compromising the backups was turned against them.”
Reliable backups are one of the most important defenses against ransomware attacks, but they must be kept unconnected from the main networks or they too can be encrypted by extortionists such as REvil.
A spokesperson for the White House National Security Council declined to comment on the operation specifically.
"Broadly speaking, we are undertaking a whole of government ransomware effort, including disruption of ransomware infrastructure and actors, working with the private sector to modernize our defenses, and building an international coalition to hold countries who harbor ransom actors accountable," the person said.
The FBI declined to comment.
One person familiar with the events said that a foreign partner of the US government carried out the hacking operation that penetrated REvil's computer architecture. A former US official, who spoke on condition of anonymity, said the operation is still active.
The success stems from a determination by US Deputy Attorney General Lisa Monaco that ransomware attacks on critical infrastructure should be treated as a national security issue akin to terrorism, Kellermann said.
In June, Principal Associate Deputy Attorney General John Carlin told Reuters the Justice Department was elevating investigations of ransomware attacks to a similar priority.
Such actions gave the Justice Department and other agencies a legal basis to get help from US intelligence agencies and the Department of Defense, Kellermann said.
"Before, you couldn't hack into these forums, and the military didn't want to have anything to do with it. Since then, the gloves have come off." 

Related


Iran adds demands in nuclear talks, enrichment ‘alarming’-US envoy

Updated 5 sec ago

Iran adds demands in nuclear talks, enrichment ‘alarming’-US envoy

WASHINGTON D.C.: Iran added demands unrelated to discussions on its nuclear program during the latest talks and has made alarming progress on enriching uranium, the US envoy for talks on reinstating a nuclear deal said on Tuesday.
US Special Envoy for Iran Robert Malley said that there was a proposal on the table for a timeline by which Iran could come back into compliance with the nuclear deal and Washington could ease sanctions on Tehran.
Indirect talks between Tehran and Washington aimed at breaking an impasse over how to salvage Iran’s 2015 nuclear pact ended in Doha, Qatar, last week without the hoped-for progress.
Malley said Iranian negotiators added new demands.
“They have, including in Doha, added demands that I think anyone looking at this would be viewed as having nothing to do with the nuclear deal, things that they’ve wanted in the past,” he said in an interview with National Public Radio.
The demands included some that the United States and Europeans have said could not be part of negotiations.
“The discussion that really needs to take place right now is not so much between us and Iran, although we’re prepared to have that. It’s between Iran and itself,” Malley said. “They need to come to a conclusion about whether they are now prepared to come back into compliance with the deal.”
Under the nuclear pact, Tehran limited its uranium enrichment program, a potential pathway to nuclear weapons, though Iran says it seeks only civilian atomic energy.
Then-US President Donald Trump abandoned the deal in 2018, calling it too soft on Iran, and reimposed harsh US sanctions, spurring Tehran to breach nuclear limits in the pact.
Now, Tehran is much closer to having enough fissile material for a nuclear bomb, Malley said, though they do not appear to have resumed their weaponization program.
“But we are of course alarmed, as are our partners, about the progress they’ve made in the enrichment field,” Malley said.
Iran has enough highly enriched uranium on hand to make a bomb and could do so in a matter of weeks, he said.
Malley said Americans were also working a parallel track to secure the release of Americans detained in Iran. Siamak Namazi, who was detained in 2015 and is the longest-held Iranian American prisoner, made a plea for help in a New York Times piece on Sunday headlined: “I’m an American, Why Have I Been Left to Rot as a Hostage of Iran?“
“We hope that regardless of what happens with the nuclear talks, we’ll be able to resolve this issue because it weighs in our minds every single day,” Malley said.

Rebel land mine wounds 7 soldiers in central Philippines

Updated 05 July 2022

Rebel land mine wounds 7 soldiers in central Philippines

  • The government will file criminal complaints against rebel leaders for the attack and the use of internationally banned types of land mines

MANILA: A land mine set by suspected communist guerrillas wounded seven soldiers in the central Philippines on Tuesday, in one of the insurgents’ first known attacks since President Ferdinand Marcos Jr. took office last week.
Army troops were checking reports from villagers of anti-personnel mines laid by New People’s Army rebels along a village trail in Mapanas town in Northern Samar province when an explosion wounded the seven soldiers, regional army commander Maj. Gen. Edgardo de Leon said.
Two of the wounded soldiers were in critical condition, he said, adding that no villagers were injured.
“Some of the soldiers were tossed away because the rebels have been using really powerful land mines,” de Leon said.
The government will file criminal complaints against rebel leaders for the attack and the use of internationally banned types of land mines, de Leon told reporters.
The soldiers were not able to open fire at the rebels, who fled after the attack and were being hunted by government forces, he said.
On Friday, a day after Marcos Jr. was sworn in after winning a landslide victory in a May 9 election, government troops assaulted eight communist rebels, killing one, in a brief gunbattle in central Negros Oriental province, the army said.
Marcos Jr. must deal with decades-long communist and Muslim insurgencies, along with longstanding territorial disputes with China and other claimants in the South China Sea.
During the campaign, he said he would pursue peace talks with communist insurgents and expressed support for a government task force established under his predecessor, Rodrigo Duterte, to fight the insurgency by bringing infrastructure, housing and livelihood projects to the poverty-stricken countryside.
The task force has drawn criticism for linking several left-wing activists and government critics to the communist insurgency, in what Duterte’s opponents said was baseless “red-tagging” aimed at muzzling legitimate dissent.
Despite battle setbacks, infighting and factionalism, the communist insurgency has continued to rage, mostly in rural areas, for more than half a century in one of Asia’s longest-running rebellions. It currently has an estimated 2,700 armed fighters.
The new president is the son of the late leader Ferdinand Marcos, whose counterinsurgency program was known for killings, torture and disappearances of suspected rebels, left-wing activists and their supporters.
The elder Marcos was overthrown in an army-backed 1986 “People Power” pro-democracy uprising that drove him and his family into US exile.
After Marcos died in Hawaii in 1989, his widow and children returned to the Philippines, where they achieved a stunning political comeback by whitewashing the family image on social media, critics say.


US F-35 fighters arrive in South Korea as joint military drills ramp up

Updated 05 July 2022

US F-35 fighters arrive in South Korea as joint military drills ramp up

  • The six F-35As will be in South Korea for 10 days, South Korea’s Ministry of Defense said in a statement

SEOUL: US Air Force F-35A stealth fighters arrived in South Korea on Tuesday on their first publicly announced visit since 2017 as the allies and nuclear-armed North Korean engage in an escalating cycle of displays of weapons.
Joint military drills had been publicly scaled back in recent years, first in 2018 because of efforts to engage diplomatically with North Korea and later because of the COVID-19 pandemic.
South Korean President Yoon Suk-yeol, who took office in May, has sought to increase public displays of allied military power, including exercises, to counter a record number of missile tests conducted by North Korea this year.
North Korea also appears to be preparing to test a nuclear weapon for the first time since 2017.
The six F-35As will be in South Korea for 10 days, South Korea’s Ministry of Defense said in a statement.
“The purpose of this deployment is to demonstrate the strong deterrent and joint defense posture of the US-ROK alliance while at the same time improving the interoperability between the ROK and US Air Force,” the ministry said, referring to South Korea by the initials of its official name.
The aircraft deployed from Eielson Air Force Base in Alaska, US Forces Korea (USFK) said in a statement.
A USFK spokesperson said it was the first public deployment of the 5th generation fighter aircraft to South Korea since December 2017, but did not elaborate whether there had been unannounced visits.
A former senior US official previously told Reuters that during diplomatic talks many drills had in fact continued but had not been publicized.
South Korea has purchased 40 of its own F-35As from the United States, and is looking to buy another 20. The South Korean air force F-35As will be among the aircraft participating in the joint drills, USFK said.
North Korea has denounced joint exercises as well as South Korea’s weapons purchases as an example of “hostile policies” that prove US offers to negotiate without preconditions are hollow.


NATO launches ratification process for Sweden, Finland membership

Updated 05 July 2022

NATO launches ratification process for Sweden, Finland membership

  • A NATO summit in Madrid last week endorsed that move by issuing invitations to the two

BRUSSELS: The process to ratify Sweden and Finland as the newest members of NATO was formally launched on Tuesday, the military alliance’s head Jens Stoltenberg said, marking a historic step brought on by Russia’s war in Ukraine.

“This is a good day for Finland and Sweden and a good day for NATO,” Stoltenberg told reporters in a joint press statement with the Swedish and Finnish foreign ministers.

“With 32 nations around the table, we will be even stronger and our people will be even safer as we face the biggest security crisis in decades,” he added.

The NATO secretary general was speaking ahead of a meeting in which the ambassadors from NATO’s 30 member states were expected to sign the accession protocols for the two Nordic countries, opening a months-long period for alliance countries to ratify their membership.

 

“We are tremendously grateful for all the strong support that our accession has received from the allies,” said Swedish Foreign Minister Ann Linde.

“We are convinced that our membership would strengthen NATO and add to the stability in the Euro Atlantic area,” she added.

In the wake of Russia’s invasion of Ukraine in February, Sweden and Finland in parallel announced their intention to drop their military non-alignment status and become part of NATO.

A NATO summit in Madrid last week endorsed that move by issuing invitations to the two, after Turkey won concessions over concerns it had raised and a US promise it would receive new warplanes.

Turkish President Recep Tayyip Erdogan had accused Sweden and Finland of being havens for Kurdish militants he has sought to crush, and for promoting “terrorism.”

He also demanded they lift arms embargoes imposed for Turkey’s 2019 military incursion into Syria.

But Erdogan has kept the rest of NATO on tenterhooks by saying he could still block Sweden and Finland’s bids if they fail to follow through on their promises, some of which were undisclosed, such as possible extradition agreements.

Related


Monsoon rains lash Pakistan; 6 killed in country’s southwest

Updated 05 July 2022

Monsoon rains lash Pakistan; 6 killed in country’s southwest

  • Floods triggered by seasonal monsoon rains wreak havoc in Pakistan every year, killing dozens

QUETTA, Pakistan: At least six people, including women and children, were killed when the roofs of their homes collapsed in heavy rains lashing southwestern Pakistan and other parts of the country, a provincial disaster management agency said Tuesday.
There were fears the death toll could be higher as several people went missing after flash flooding hit southwestern Baluchistan province’s remote areas overnight, according to a statement from the agency.
Authorities say the latest spell of torrential rains, which started on Monday and continued on Tuesday, also damaged dozens of homes in Baluchistan.
Since June, rains have killed 38 people and damaged more than 200 homes across Pakistan, including in Baluchistan, where over the weekend, a passenger bus skidded off a road and fell into a deep ravine amid heavy rain, killing 19 people.
Floods triggered by seasonal monsoon rains wreak havoc in Pakistan every year, killing dozens.