A major overseas ransomware group shut down last month after a pair of operations by U.S. Cyber Command and a foreign government targeting the criminals’ servers left its leaders too frightened of identification and arrest to stay in business, according to several U.S. officials familiar with the matter.

The foreign government hacked the servers of REvil this summer, but the Russian-speaking criminal group did not discover it was compromised until Cybercom last month blocked its website by hijacking its traffic, said the officials who spoke on the condition of anonymity because of the matter’s sensitivity.

Cybercom’s action was not a hack or takedown, but it deprived the criminals of the platform they used to extort their victims – businesses, schools and others whose computers they’d locked up with data-encrypting malware and from whom they demanded expensive ransoms to unlock the machines, the officials said.

In the hours after the Cybercom operation, which has not been previously reported, one of REvil’s leaders saw the site’s traffic had been redirected.

“Domains hijacked from REvil,” wrote 0_neday, an REvil leader, on a Russian-language forum popular with cyber criminals, on Oct. 17.

More on Technology »



A “third party,” he wrote – without knowing Cybercom was responsible – had cloned the group’s webpage having obtained the private keys to its server, which is reachable only through Tor, a special browser that routes Internet traffic through a worldwide network of servers to anonymize the user’s identity.

A first inspection did not turn up signs of compromise, 0_neday said on the forum.

Then he checked again, and this time what he found spooked him.

“The server was compromised,” he wrote hours later, “and they are looking for me.” And then: “Good luck everyone, I’m taking off.”

Soon after, REvil ceased operations, such as recruitment of affiliates, ransom negotiations and distribution of malware.

The Washington Post previously reported that REvil’s servers had been hacked in the summer, permitting the FBI to have access. The compromise allowed the FBI, working with the foreign partner, to gain access to the servers and private keys, officials said. The bureau was then able to share that information last month with Cybercom, enabling the hijacking, they said.


Cyber Command spokeswoman, Col. Sunset Belinsky, said: “As a matter of operational security, we wouldn’t provide comment on cyber intelligence, planning, or operations.”

Cybercom’s leader, Gen. Paul Nakasone, said at the Aspen Security Forum Wednesday that while he wouldn’t comment on specific operations, “we bring our best people together . . . the really good thinkers” to brainstorm ways to “get after folks” conducting ransomware attacks and other malign activities. “I’m pleased with the progress we’ve made,” he said, “and we’ve got a lot more to do.”

The group’s departure may be temporary. Ransomware gangs have been known to go underground, regroup and reappear, sometimes under a new name. But the recent development suggests that ransomware crews can be influenced – even temporarily – to cease operations if they fear they will be outed and arrested, analysts say.

“The latest voluntary disappearance of REvil highlights the powerful psychological impact of having these villains believe that they are being hunted and that their identities will be revealed,” said Dmitri Alperovitch, executive chairman of the think tank Silverado Policy Accelerator, and a cyber expert. “U.S. and allied governments should proudly acknowledge these cyber operations and make it clear that no ransomware criminal will be safe from the long reach of their militaries and law enforcement agencies.”

Cybercom’s operation came in the wake of high-profile REvil attacks. In June, REvil ransomed the world’s largest meat processor, Brazilian company JBS, in an action that temporarily halted operations at its nine beef processing plants in the United States and caused disruptions at other facilities in Canada and Australia.

In July the group struck again, this time targeting Kaseya, a Miami-based IT firm, infecting its software updates with ransomware that spread to hundreds of businesses. In a post on REvil’s “Happy Blog” site, the group initially demanded $70 million to provide a decryption key to unlock the files of businesses victimized by the attack.


REvil has disappeared before.

In July, after the Kaseya hack, President Joe Biden warned Russian President Vladimir Putin that the United States would take “any necessary action” to defend critical infrastructure. Around the same time, another group member who went by the nickname “unknown”disappeared. Unknown’s vanishing unnerved the group, and without warning, it went offline. It is unclear whether Biden’s warning played any role in either.

In any case, 0_neday explained in a post last month, “since there was no confirmation of the reason for his disappearance, we resumed our work, thinking he was dead.”

Privately REvil members were telling affiliates the group would return, according to Recorded Future threat intelligence analyst Dmitry Smilyanets, who closely tracks the group’s activities.

“They were telling people, ‘Don’t worry, everything’s okay – we will be back,'” Smilyanets said. “It wasn’t a secret in the community that the REvil brand would reemerge.”

REvil returned in September, picking up where it left off, recruiting new “affiliate” hackers to help it conduct attacks. Its victims included a plastics manufacturer and a legal aid service for the poor.

Then Cybercom struck.

Smilyanets said he believes “REvil as a brand is done.”

The malware developers and the hackers will keep doing what they have been doing, he predicted, but probably under a different name or for another group. As for 0_neday, Smilyanets predicts: “The guy will be back.”

Said Smilyanets: “He’s so adept at cybercrime. He will not quit. He wants his millions of dollars.”