The hacking group REvil, who carried out a ransomware attack against Apple supplier Quanta Computer, was hacked and forced offline this week through a multi-country operation led by the FBI in partnership with the Secret Service. REvil has been responsible for numerous high-profile cyberattacks, one of which led to widespread gas shortages on the U.S. East Coast.
Ransomware group REvil forced offline in FBI-led operation
Citing three private-sector cyber experts working with the United States and one former official, Reuters on Thursday reported that the FBI, U.S. Cyber Command, and the Secret Service joined forces with unspecified foreign governments to hack into REvil’s servers.
The effort to take control of the group’s servers was quickened after the ransomware group compromised U.S. software management company Kaseya in July. The breach opened access to hundreds of the company’s customers at once, leading to numerous emergency cyber incident response calls. Following the attack, the FBI acquired a universal decryption key that allowed affected individuals to recover their files without paying a ransom. Law enforcement officials initially withheld the key as the FBI made headway on its hacking operation.
A few weeks after the Kaseya attack, the websites the group used went offline for unknown reasons. When members of the grand restored those websites from a backup in September, they unknowingly restarted systems that were controlled by law enforcement.
“The REvil ransomware gang restored the infrastructure from the backups under the assumption that they had not been compromised,” said Oleg Skulkin, deputy head of the forensics lab at the Russian-led security company Group-IB. “Ironically, the gang’s own favorite tactic of compromising the backups was turned against them.”
REvil is allegedly responsible for a number of cybercrimes including the April hack of Apple supplier Quanta. On Tuesday, April 20, REvil declared that it had accessed the internal computers of Apple’s main MacBook supplier Quanta Computer Inc, based in Taiwan. The group had threatened Quanta with ransomware, demanding $50 million by April 27 in order to stop it from leaking product blueprints. As proof, the group did leak several schematics however it mysteriously removed all references to the attack from its webpage soon after.