Washington Post journalists published yesterday an article about the end of REvil group activities as a result of an action carried out by the American Cyber Command - the command of cybernetic forces. Curbing REvil's actions is certainly good news for everyone - criminals are responsible, for example, for ransomware attacks on Kaseye or JBS and poisoned the lives of many companies. The most interesting, however, is the topic of what directly led the REvil operators to close the operation - the Cyber Command operation itself was not based on destructive actions such as destroying data on C2 servers, but on hijacking a page in the Tor network that criminals used to blackmail victims and extort ransom. In essence, it was only a hindrance to doing business - it would certainly slow down the group's activities temporarily, but it did not permanently hit the key elements of the operation.
Fortunately, REvil itself provided insight into the rationale behind its decision by discussing the course of events in a Russian-speaking forum. As reported in the Washington Post, in October criminals noticed a domain hijack, prompting them to check their servers for signs of intrusion. And while the group did not discover anything unusual at first, a closer look apparently brought an unpleasant surprise when it discovered a burglary carried out by security services this summer:
"The server was compromised, "He wrote hours later,"and they are looking for me. " And then: "Good luck everyone, I'm taking off. "
Apparently, 0_neday, because that was the nickname on the forum was used by the leader of the group, stated that the hacking meant that the services were already actively investigating REvil's activities, therefore further actions were not worth the potential risk. There are at least a few interesting conclusions from the whole situation.
First, this is perhaps the first disclosed operation in which Cyber Command has taken offensive actions against a ransomware group. If we refer to the model of defense operations Course of Action Matrix this Cyber Command operation falls under Disrupt or Degrade, leaning rather towards Degrade. Redirecting traffic and hijacking the domain would not in itself prevent the ransom collection, but would temporarily slow down the pace.
Secondly, thanks to live coverage provided by the interested parties on the Cyber Command forum (and the rest of the world), it kind of received feedback on the effectiveness of various types of activities in deterring ransomware operators. While the domain takeover itself did not cause panic, the discovery of hacking signs suggesting the security's interest immediately led to the cessation of malware distribution, recruitment of new partners and ransom negotiations. The obvious conclusion is that it is the threat of disclosure of identity, arrest, or, more generally, criminal liability that motivates to end this very profitable business. This conclusion to some extent coincides with the position I presented in a speech I recorded for the Cambridge International Symposium on Economic Crime - the effectiveness in combating ransomware will be directly proportional to how engaged and willing to cooperate will be the countries in which the groups operate. However, there is a very important catch here - the leader of REvil did not know which services and from which country the server was hacked, the mere fact of potential interest was enough to scare off the criminals. It will be very interesting, therefore, what will happen next, and whether the knowledge that US agencies are responsible for the operations will make the group resume its activity, hoping for further immunity in Russia. On the other hand, the interest of law enforcement agencies is not limited to the direct members of REvil. The group operated on the basis of Ransomware-as-a-service, recruiting partners who infected systems in return for a share of the profits, and who will now have second thoughts on whether they want to engage in, let's call it, highly media activity. In the end, seeing the panic aroused by the interest itself, American agencies can reach for the recently favorite weapon against cybercriminals - acts accusations in which they reveal the identity of the perpetrators. While in the case of intelligence officers, it is difficult to expect that they will bring spectacular results (whether it is possible to discourage states from conducting intelligence activities is a topic for a separate post), criminals who want to earn money and potentially in the future live in luxury in a selected country may painfully feel the publication of your image. Not to mention REvil partners living in the countries where Europol operates.
As we can see, it all comes down to risk assessment. Just as in the corporate environment, some risks are accepted and others are not, so law enforcement agencies probably finally hit a sensitive point of unacceptable risk to criminals. Let us hope that other ransomware operators assume similarly conservative approach to the acceptable risk and will decide to cease further operations.
English 
Polish