Cybersecurity experts have told Reuters that law enforcement officials from multiple countries were involved in disrupting the REvil ransomware gang, which went dark for the second time on Sunday.
Rumors and questions about the group's most recent disappearance dominated the conversation this week after Recorded Future security expert Dmitry Smilyanets shared multiple messages on Twitter from '0_neday' -- a known REvil operator -- discussing what happened on the cybercriminal forum XSS. He claimed someone took control of the group's Tor payment portal and data leak website.
In the messages, 0_neday explains that he and "Unknown" -- a leading representative of the group -- were the only two members of the gang who had REvil's domain keys. "Unknown" disappeared in July, leaving the other members of the group to assume he died.
The group resumed operations in September, but this weekend, 0_neday wrote that the REvil domain had been accessed using the keys of "Unknown."
In another message, 0_neday said, "The server was compromised, and they were looking for me. To be precise, they deleted the path to my hidden service in the torrc file and raised their own so that I would go there. I checked on others -- this was not. Good luck, everyone; I'm off."
Now Reuters has confirmed that law enforcement officials from the US and other countries, alongside a number of cybersecurity experts, were behind the actions 0_neday described on Sunday.
VMWare head of cybersecurity strategy Tom Kellerman and other sources told Reuters that the governments hacked REvil's infrastructure and forced it offline.
The FBI and White House did not respond to requests for comment.
Jake Williams, CTO of BreachQuest, told ZDNet that REvil being compromised had been discussed in closed CTI groups since at least October 17.
"It was known no later than the 17th that core group members behind REvil were almost certainly compromised. By standing up the Tor hidden services, someone demonstrated they had the private keys required to do so. This was effectively the end of REvil, which was already having trouble attracting affiliates after its infrastructure went offline in July following the Kaseya attack," Williams said.
"To attract affiliates, REvil had been offering up to 90% profit shares but were still finding few takers. After the Tor hidden service was turned on, demonstrating possession of the private keys, it was obvious that the group had been breached, and they would be unable to attract new affiliates for operations. A big open question in my mind is whether re-enabling the Tor hidden services was a counterintelligence mistake by law enforcement or was an intentional act to send a message. There are certainly arguments for either case."
The FBI has faced backlash in recent weeks because they recently revealed that they managed to obtain a universal decryption key for the hundreds of victims affected by the ransomware attack on Kaseya.
But FBI officials told Congress that they held off providing the keys to victims for weeks because they were planning a multi-country effort to take down REvil's infrastructure. REvil ended up closing shop before the operation could be undertaken, and the FBI eventually handed out the keys to victims and helped a company create a universal decryptor.
Reuters reported that when the group resurfaced in September, they actually restarted the servers that law enforcement officials had taken over. According to Reuters, this led to the most recent law enforcement action, which added that the operation is still ongoing.
Williams noted that it appears likely that at least some arrests were involved, pointing back to the original messages from 0_neday.
"The launch of the hidden service indicates someone else possesses the private keys for their hidden services. While the keys could potentially have been acquired purely through hacking back, it's hard to imagine that's the case given Unknown's disappearance as well. The obvious conclusion is that it's likely Unknown (or a close coconspirator) was arrested, though the arrest may have been enabled via hacking back operations," Williams said.
For those hit with ransomware after the group's return, Williams said it was unlikely that the government had decryption keys or that the remaining gang members would release them.
"After the July disruptions, it's believed that REvil reset the campaign keys used by each affiliate. Core REvil user 0_neday announced that campaign keys would be given to REvil affiliates so they could continue negotiating with their victims. It seems unlikely at this point that the US government has a master key for REvil," Williams explained.
"After the backlash over not releasing the campaign key used in the Kaseya attack, it's hard to believe the government would risk more negative publicity. Individual affiliates may release their campaign keys, but it seems doubtful at this time that the core REvil group will."
Williams added that REvil affiliates regularly used double extortion -- the exfiltration of data from victim networks with the threat of release -- to compel payment. He noted that typically, these affiliates stay in line and don't release data because doing so would remove them from future work with the core group.
But now that work from REvil will be drying up, affiliates will need new sources of revenue.
"It won't be surprising to see stolen sold on the dark web. I anticipate that some organizations who believed their data was safe because they paid a REvil ransom are in for a rude awakening," Williams told ZDNet.