This week, the worldwide fight against ransomware took a new turn, with the US joining a law enforcement attempt to hack back and disrupt the extortion ring behind the Colonial Pipeline breach.
The Tor servers linked to the REvil ransomware group were seized in what was characterised as a “multi-country” hack-back operation that is still ongoing, according to a Reuters storey.
The ransomware group’s public blog was taken down, which was used to shame corporations into paying multi-million dollar data recovery ransoms. One of the operators sent a goodbye message that read: “The server had been hacked, and they were on the lookout for me. Good luck to everyone; I’m leaving now.”
The REvil takedown, which was carried out by a foreign partner of the US government, was confirmed by threat hunters investigating underground human-operated ransomware activities.
Several other ransomware gangs reacted to the REvil network takeover by transferring cryptocurrency reserves and even openly criticising the hacking operation.
In human-operated ransomware operations against various U.S. companies, the notorious REvil gang was captured employing the Darkside data encryption programme. The Colonial Pipeline cyberattack, which prompted the closure of gas stations, and the Kaseya supply-chain compromise were among them.
Officials from law enforcement are refusing to comment on the takedown, citing the ongoing nature of the operation.
Colonial Pipeline spent $4.4 million to buy a decryption key in the aftermath of the incident, which resulted in gasoline shortages in areas of the United States.
The REvil takedown comes after the US government discovered $5.2 billion in outgoing Bitcoin transactions that could be tied to ransomware payments, particularly to Russian and Eastern European cybercriminal organisations.