Governments turn tables on ransomware gang REvil by pushing it offline

US officials talk about the Colonial Pipeline ransomware attack during a news conference in Washington, D.C. on June 7, 2021. (REUTERS/File Photo)
1 / 2
US officials talk about the Colonial Pipeline ransomware attack during a news conference in Washington, D.C. on June 7, 2021. (REUTERS/File Photo)
Governments turn tables on ransomware gang REvil by pushing it offline
2 / 2
Short Url
Updated 22 October 2021

Governments turn tables on ransomware gang REvil by pushing it offline

Governments turn tables on ransomware gang REvil by pushing it offline
  • Law enforcement and intelligence cyber specialists were able to hack REvil's computer network infrastructure, obtaining control of at least some of their servers
  • One person familiar with the events said that a foreign partner of the US government carried out the hacking operation that penetrated REvil's computer architecture

The ransomware group REvil was itself hacked and forced offline this week by a multi-country operation, according to three private sector cyber experts working with the United States and one former official.
Former partners and associates of the Russian-led criminal gang were responsible for a May cyberattack on the Colonial Pipeline that led to widespread gas shortages on the US East Coast. REvil's direct victims include top meatpacker JBS. The crime group's "Happy Blog” website, which had been used to leak victim data and extort companies, is no longer available.
Officials said the Colonial attack used encryption software called DarkSide, which was developed by REvil associates.
VMWare head of cybersecurity strategy Tom Kellermann said law enforcement and intelligence personnel stopped the group from victimizing additional companies.
"The FBI, in conjunction with Cyber Command, the Secret Service and like-minded countries, have truly engaged in significant disruptive actions against these groups,” said Kellermann, an adviser to the US Secret Service on cybercrime investigations. “REvil was top of the list.”
A leadership figure known as "0_neday," who had helped restart the group's operations after an earlier shutdown, said REvil's servers had been hacked by an unnamed party.
"The server was compromised, and they were looking for me," 0_neday wrote on a cybercrime forum last weekend and first spotted by security firm Recorded Future. "Good luck, everyone; I'm off."
US government attempts to stop REvil, one of the worst of dozens of ransomware gangs that work with hackers to penetrate and paralyze companies around the world, accelerated after the group compromised US software management company Kaseya in July. 
That breach opened access to hundreds of Kaseya's customers all at once, leading to numerous emergency cyber incident response calls.

Decryption key
Following the attack on Kaseya, the FBI obtained a universal decryption key that allowed those infected via Kaseya to recover their files without paying a ransom.
But law enforcement officials initially withheld the key for weeks as it quietly pursued REvil's staff, the FBI later acknowledged. 
According to three people familiar with the matter, law enforcement and intelligence cyber specialists were able to hack REvil's computer network infrastructure, obtaining control of at least some of their servers.
After websites that the hacker group used to conduct business went offline in July, the main spokesman for the group, who calls himself "Unknown," vanished from the internet.
When gang member 0_neday and others restored those websites from a backup last month, he unknowingly restarted some internal systems that were already controlled by law enforcement.
“The REvil ransomware gang restored the infrastructure from the backups under the assumption that they had not been compromised,” said Oleg Skulkin, deputy head of the forensics lab at the Russian-led security company Group-IB. “Ironically, the gang's own favorite tactic of compromising the backups was turned against them.”
Reliable backups are one of the most important defenses against ransomware attacks, but they must be kept unconnected from the main networks or they too can be encrypted by extortionists such as REvil.
A spokesperson for the White House National Security Council declined to comment on the operation specifically.
"Broadly speaking, we are undertaking a whole of government ransomware effort, including disruption of ransomware infrastructure and actors, working with the private sector to modernize our defenses, and building an international coalition to hold countries who harbor ransom actors accountable," the person said.
The FBI declined to comment.
One person familiar with the events said that a foreign partner of the US government carried out the hacking operation that penetrated REvil's computer architecture. A former US official, who spoke on condition of anonymity, said the operation is still active.
The success stems from a determination by US Deputy Attorney General Lisa Monaco that ransomware attacks on critical infrastructure should be treated as a national security issue akin to terrorism, Kellermann said.
In June, Principal Associate Deputy Attorney General John Carlin told Reuters the Justice Department was elevating investigations of ransomware attacks to a similar priority.
Such actions gave the Justice Department and other agencies a legal basis to get help from US intelligence agencies and the Department of Defense, Kellermann said.
"Before, you couldn't hack into these forums, and the military didn't want to have anything to do with it. Since then, the gloves have come off." 


Francis begins first papal visit to Athens in two decades

Francis begins first papal visit to Athens in two decades
Updated 04 December 2021

Francis begins first papal visit to Athens in two decades

Francis begins first papal visit to Athens in two decades
  • The pope’s trip will see him return on Sunday to the island of Lesbos, which he last visited in 2016 during the early years of the migration crisis

Athens: Pope Francis on Saturday began a landmark trip to Greece with the first visit to Athens by a pontiff in two decades, aiming to improve relations with the Orthodox Church of Greece and highlight the plight of refugees.
Flying in after a two-day trip to Cyprus, the pope landed shortly after 0900 GMT and was greeted at Athens airport by Greek Foreign Minister Nikos Dendias and senior officials from the Greek Catholic community.
The pope’s trip will see him return on Sunday to the island of Lesbos, which he last visited in 2016 during the early years of the migration crisis.
The 84-year-old’s visit to the Greek capital is the first by a Pope since John Paul II in 2001, which in turn was the first papal visit to Athens since the 1054 Schism between the Catholic and Orthodox Churches.
Francis is seeking to improve historically difficult relations with the Orthodox Church — strained by the Schism and the 1204 sack of Constantinople during the Fourth Crusade — while also highlighting the plight of thousands of refugees and asylum seekers in Greece.
“I ardently long to meet you all, all, not only Catholics, but all of you,” he said in a message before embarking on his 35th international trip, which began on Thursday with the visit to Cyprus.
“By meeting you, I will quench my thirst at the springs of fraternity.”
Francis on Saturday will meet Greek President Katerina Sakellaropoulou, Prime Minister Kyriakos Mitsotakis and the head of the Church of Greece Archbishop Ieronymos.
He is then scheduled to see members of Greece’s small Catholic community, which represents just 1.2 percent of the majority-Orthodox population.


France, Europeans working to open joint mission in Afghanistan — Macron

France, Europeans working to open joint mission in Afghanistan — Macron
Updated 04 December 2021

France, Europeans working to open joint mission in Afghanistan — Macron

France, Europeans working to open joint mission in Afghanistan — Macron
  • The United States and other Western countries shut their embassies and withdrew their diplomats as the Taliban seized Kabul

DOHA: Several European countries are working on opening up a joint diplomatic mission in Afghanistan that would enable their ambassadors to return to the country, French President Emmanuel Macron said on Saturday.
Western countries have been grappling with how to engage with the Taliban after they took over Afghanistan in a lightning advance in August as US-led forces were completing their pullout.
The United States and other Western countries shut their embassies and withdrew their diplomats as the Taliban seized Kabul, following which the militants declared an interim government whose top members are under US and UN sanctions.
“We are thinking of an organization between several European countries... a common location for several Europeans, which would allow our ambassadors to be present,” Macron told reporters in Doha before heading to Jeddah in Saudi Arabia.
The United States, European countries and others are reluctant to formally recognize the Pashtun-dominated Taliban, accusing them of backtracking on pledges of political and ethnic inclusivity and to uphold the rights of women and minorities.
“This is a different demarche than a political recognition or political dialogue with the Taliban ... we will have a representation as soon as we can open,” he said, adding that they still needed to iron out security issues.
In a statement following talks with the Taliban a week ago, the European Union suggested it could open a mission soon.
“The EU delegation underlined that the possibility of establishing a minimal presence on the ground in Kabul, which would not entail recognition, will directly depend on the security situation, as well as on effective decisions by the de facto authorities to allow the EU to ensure adequate protection of its staff and premises,” it said.
France separately announced on Friday that it had carried out an evacuation mission in Afghanistan with Qatar’s help, taking more than 300 people, mostly Afghans, out of the country.


Storm weakens after heavy rain, evacuation in southern India

Storm weakens after heavy rain, evacuation in southern India
Updated 04 December 2021

Storm weakens after heavy rain, evacuation in southern India

Storm weakens after heavy rain, evacuation in southern India
  • Authorities shut schools, canceled trains and anchored fishermen’s boats in the affected areas until Sunday

HYDERABAD, India: A tropical storm weakened after dumping heavy rains overnight in parts of southern India off the Bay of Bengal as more than 50,000 people evacuated to government-run camps, officials said Saturday.
No loss of life or major damage has been reported so far from the rain-hit areas of Andhra Pradesh state.
Kanna Babu, a state commissioner for disaster management, said 54,000 people who evacuated on Friday from vulnerable areas were waiting in nearly 200 state-run relief camps for the weather to clear before returning to their homes.
Authorities shut schools, canceled trains and anchored fishermen’s boats in the affected areas until Sunday.
The storm is likely to further weaken later Saturday and curve toward eastern Odisha state before making landfall on Sunday as a deep depression, the Indian Meteorological Department said.
Scientists say that cyclones and powerful storms in the Indian Ocean are becoming more frequent and intense due to climate change.
“The Bay of Bengal and the Arabian Sea are now warmer compared to earlier decades because of climate change,” said K.J. Ramesh, one of India’s top meteorologists and the former chief of the weather agency.
He said that storms were also forming simultaneously as a result of climate change over the past decade — a phenomenon that was rare in the past.
In May, two storms hit India within 10 days, with Cyclone Tauktae killing at least 140 people across western states. Nearly 70 of the victims were on a barge that ripped free of its anchors and sank off Mumbai’s coast.
In May last year, nearly 100 people died in Cyclone Amphan, the most powerful storm to hit eastern India in more than a decade. It flattened villages, destroyed farms and left millions without power in eastern India and Bangladesh.
Some of the deadliest tropical cyclones on record have occurred in the Bay of Bengal. A 1999 super cyclone killed around 10,000 people and devastated large parts of Odisha. Due to improved forecasts and better-coordinated disaster management, the death toll from Cyclone Phailin, an equally intense storm that hit in 2013, was less than 50, according to the World Meteorological Organization.

Related


210 migrants found packed into truck in central Mexico

210 migrants found packed into truck in central Mexico
Updated 04 December 2021

210 migrants found packed into truck in central Mexico

210 migrants found packed into truck in central Mexico
  • The National Migration Institute said the truck failed to stop as directed at a checkpoint in Puebla state on Friday
  • When the doors of the trailer were opened, agents found women, men and children amid cushions and homemade fans
MEXICO CITY: Mexican immigration authorities say they discovered 210 migrants packed into a truck trailer in the central part of the country.
The National Migration Institute said the truck failed to stop as directed at a checkpoint in Puebla state on Friday and it was pulled over after a pursuit near the city of Tecamachalco.
When the doors of the trailer were opened, agents found women, men and children amid cushions and homemade fans, the institute said. The driver of the truck was detained.
The discovery came two weeks after authorities found 600 migrants in two trailers in the eastern state of Veracruz.

Australia omicron variant spreads, testing reopening plans

Australia omicron variant spreads, testing reopening plans
Updated 04 December 2021

Australia omicron variant spreads, testing reopening plans

Australia omicron variant spreads, testing reopening plans
  • Queensland authorities suspected its first Omicron case in a person who traveled from South Africa

MELBOURNE: The Omicron coronavirus variant spread in Australia on Saturday, testing plans to reopen the economy as a cluster in Sydney grew to 13 cases and an infection was suspected in the state of Queensland.
Federal authorities are sticking with a plan to reopen the economy on the hope that the new variant proves to be milder than previous strains, but some state and territory governments have moved to tighten their domestic border controls.
Australia reported its first community transmission of Omicron on Friday at a school in Sydney. Authorities are investigating the source and said more cases were expected.
Queensland authorities suspected its first Omicron case in a person who traveled from South Africa and that genome sequencing was ongoing.
“The public health unit have ruled out that it is Delta but we haven’t been able to confirm if it is Omicron,” state Health Minister Yvette D’Ath. “But it is being treated as if it is.”
Authorities in South Australia said on Saturday that arrivals from New South Wales, Victoria and the capital territory will be tested. The state reopened its domestic borders only days ago for the first time in months.
Several thousand people protested vaccination mandates in Melbourne, with the demonstrations now a weekly event that has been attracting groups of regular citizens, as well as far-right and conspiracy theory supporters.
A smaller counter-protest called to stop the far-right movement in the city and support vaccinations.
The state of Victoria, home to Melbourne, requires full vaccination to access most hospitality services and non-essential retail, as well as to work in health care and many other industries.
Nearly 88 percent of Australians over the age of 16 have been fully vaccinated, health data showed.
Anti-vaccination supporters number in single digits in Australia, according to polls. But unvaccinated patients make up the vast majority of those hospitalized with the coronavirus. In Victoria, 90 percent of the 44 people in the intensive care have not been fully vaccinated, health data showed.
Despite battling many outbreaks this year, leading to months of lockdown in Sydney and Melbourne — Australia’s largest cities — the country has had only about 834 confirmed COVID-19 cases and 7.9 deaths per 100,000 people, according to the World Health Organization, a fraction of many other developed nations.
Australia has had just under 215,000 cases in total and 2,042 deaths.