Ransomware gang outraged at “bandit-mugging behavior of the United States” after REvil group pushed offline

Isn’t it ironic? (Don’t you think?)

Graham Cluley
@gcluley

Ransomware gang outraged at "bandit-mugging behavior of the United States" after REvil group pushed offline

What’s the definition of “ironic”?

You could ask Alanis Morrisette, who’ll just tell you something about too many spoons, or rain or your wedding day…. or you could hear a notorious cybercrime group moaning about the action being taken against a fellow ransomware gang.

Last week Reuters reported that law enforcement agencies in various countries, including the FBI, had managed to disrupt the activities of the REvil ransomware gang (sometimes known as Sodinokibi).

Sign up to our newsletter
Security news, advice, and tips.

REvil, you will recall, is the ransomware-as-a-service (RAAS) enterprise that rents out its expertise and infrastructure to other criminals – giving even those without technical ability a means to profit from ransomware. Victims of REvil ransomware attacks have included customers of Kaseya, meat supplier JBS, and a Swedish supermarket chain.

That’s enough to warrant some serious attention from the powers-that-be, and as Reuters reported last week, sources claim that “law enforcement and intelligence cyber specialists were able to hack REvil’s computer network infrastructure, obtaining control of at least some of their servers.”

As a result, the REvil’s group so-called “Happy blog, where it usually published its litany of corporate victims and shared hacked data, is no longer operational.

Ironically, according to the report, the REvil gang made a schoolboy error when trying to recover their systems:

When gang member 0_neday and others restored those websites from a backup last month, he unknowingly restarted some internal systems that were already controlled by law enforcement.

“The REvil ransomware gang restored the infrastructure from the backups under the assumption that they had not been compromised,” said Oleg Skulkin, deputy head of the forensics lab at the Russian-led security company Group-IB. “Ironically, the gang’s own favorite tactic of compromising the backups was turned against them.”

These developments have not gone unnoticed by at least one other cybercrime gang engaged in ransomware attacks. For instance, Brian Krebs reports that a member of the Conti ransomware group ranted on a Russian language hacking forum that the action against REvil was a “unilateral, extraterritorial, and bandit-mugging behavior of the United States in world affairs.”

He went on:

“Is there a law, even an American one, even a local one in any county of any of the 50 states, that legitimize such indiscriminate offensive action?

Is server hacking suddenly legal in the United States or in any of the US jurisdictions? Suppose there is such an outrageous law that allows you to hack servers in a foreign country. How legal is this from the point of view of the country whose servers were attacked? Infrastructure is not flying there in space or floating in neutral waters. It is a part of someone’s sovereignty.”

A cybercriminal who hacks into corporations for a living, complaining that criminal hackers have been hacked themselves.

Yup, that’s pretty ironic.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

3 comments on “Ransomware gang outraged at “bandit-mugging behavior of the United States” after REvil group pushed offline”

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.