Reuters reported last Thursday that the Russian-led cybercriminal mastermind group, REvil, had been busted through the cooperation of the FBI, Secret Service, and Cyber Command in the United States and cybersecurity organizations from other countries, including the UK. REvil was responsible for the attack on the Colonial Pipeline in May that resulted in widespread fuel shortages on the U.S. East Coast. Other REvil victims include Kaseya, an IT solutions provider for MSPs and enterprise clients, the new York-based threat intelligence form, Advanced Intelligence, aka AdvIntel, and U.S. meatpacker JBS.



REvil primarily operated as a Ransomware-as-a-Service hacking outfit. This involves developing – or finding somebody to develop malware used to hold computers or IT networks to ransom. REvil would then provide the malware to affiliates who download malware execution programs via a portal and infect targets – usually enterprise of SMB operations. If a victim pays, then the ransom is split between the operator and the affiliate. In the case of the Russian hacker, the affiliate would get 70% of the cash and REvil the remaining 30%.




In early July this year, following the Kaseya attack which caused 1000s of ransomware victims, REvil went offline. U.S. President Joe Biden spoke personally to that of the Russian Federation, Vladimir Putin. It is believed that REvil’s temporary shutdown was a result of the conversation where Biden pressed Putin about ransomware attacks originating from Russian soil. Nevertheless, officials from both countries denied having anything to do with REvil’s closure.




On 7 September, REvil’s ‘Happy Blog’ website, which was used to leak victim data and extort companies via the Dark Web, was active again. There was a change though. Before the shutdown of the gang in July, a backdoor existed that could be used by administrators to decrypt systems and files encrypted using the malware. When REvil resurfaced, the backdoor had disappeared.


Yelisey Boguslavskiy, Head of research at AdvIntel, said of this:


“It looks like the backdoor was around since the very beginning of the REvil RaaS operation and it disappeared during REvil’s restart. In other words, the old REvil – the one before quitting in July – had the backdoor, and the new one, restarting in September, doesn’t have one.”

Boguslavskiy also explained the purpose of the backdoor:


“By using this backdoor, REvil can hijack victim cases during active negotiations with affiliates and obtain the 70% of ransom payments that are supposed to go to the affiliates. We have previously known that REvil has been using double chats when two identical chats are open with the victim by the affiliate and by REvil leadership. At a critical point of negotiations, the leadership switched down the affiliate chat – imitating the victim quitting the negotiations without paying – while continuing to negotiate with the victim to get the full income.”




But even double-crossing its affiliates wasn’t enough to keep REvil operational. After the Kaseya attack in July, the FBI obtained a universal decryption key that allowed those infected via Kaseya to recover their files without paying a ransom. The same key was used to infiltrate REvil’s IT infrastructure and when the cybercrime agency restored its websites from a backup after going down in July, it unknowingly restarted some internal systems that were already controlled by law enforcement. Oleg Skulkin, Deputy Head of the forensics lab at the Russian-led security company Group-IB, said:


“The REvil ransomware gang restored the infrastructure from the backups under the assumption that they had not been compromised. Ironically, the gang’s own favorite tactic of compromising the backups was turned against them.”




A few days ago REvil was offline and the ‘Happy Blog’ website on longer available. VMWare Head of Cybersecurity Strategy, Tom Kellermann, and also an adviser to the U.S. Secret Service on cybercrime investigations said:


“The FBI, in conjunction with Cyber Command, the Secret Service and like-minded countries, have truly engaged in significant disruptive actions against these groups. “REvil was top of the list.”




REvil may be history but a multitude of cybercriminal gangs are still out there eager to penetrate and paralyze the IT systems of companies around the world. But don’t fret about ransomware or any other cybersecurity concern that you may have. Zhero is a  leader in the field of professional business IT security, cybersecurity and risk mitigations. And we have 20 plus years of experience in IT to back up that claim. Contact Zhero for all your cybersecurity training, system monitoring and data protection and backup needs.