REvil, the ransomware group that hacked into the U.S. Colonial Pipeline this past May, was itself hacked and shut down by a multinational cyber operation, according to an exclusive report from Reuters.
The group was reportedly hacked into using the same technique that brought down the Pipeline.
Officials from the Federal Bureau of Investigation (FBI) along with the U.S. Cyber Command, worked with a number of different countries to bring down REvil as well as a number of other cybercrime groups.
On a recent internet forum post, one of the leaders of REvil, known only as 0_neday, wrote that “the server was compromised, and they were looking for me.”
“Good luck, everyone; I’m off,” 0_neday continued.
The shutdown by the government used a loophole in the ransomware’s backup system, allowing law enforcement agencies to access REvil’s servers and shut them down.
“REvil…restored the infrastructure from the backups under the assumption that they had not been compromised,” said Oleg Skulkin, an official at the Russian security company Group-IB. “Ironically, the gang’s own favorite tactic of compromising the backups was turned against them.”
Reuters has described REvil as “one of the worst of dozens of ransomware gangs that work with hackers to penetrate and paralyze companies around the world.”
The hacking of the Colonial Pipeline by REvil and another ransomware group, DarkSide, led to massive gasoline shortages and caused President Joe Biden to declare a state of emergency. The pipeline was only restored after Colonial Pipeline Company sent REvil $4.4 million.
REvil made headlines again in July when it hacked into software management company Kaseya, allowing the group to access the personal information of hundreds of the company’s clients.
The White House National Security Council told Reuters that they were “undertaking a whole of government ransomware effort, including disruption of ransomware infrastructure and actors,” but declined to comment specifically on the REvil operation.