Skip to main content

Feds reportedly take down top ransomware hacker group REvil with a hack of their own

Feds reportedly take down top ransomware hacker group REvil with a hack of their own


REvil, the alleged group behind some Apple leaks, is said to be no longer operating

Share this story

Illustration by Alex Castro / The Verge

The government has successfully hacked the hacking group REvil, the entity behind the ransomware that’s been linked to leaked Apple leaks, attacks on enterprise software vendors, and more, according to a report from Reuters. The outlet’s sources tell it that the FBI, Secret Service, Cyber Command, and organizations from other countries have worked together to take the group’s operations offline this month. The group’s dark web blog, which exposed information gleaned from its targets, is also reportedly offline.

Reports about the group going offline started surfacing earlier this week, with TechCrunch writing that its Tor website was no longer available on Monday. There was speculation of a hack, fueled by a forum post from one of the group’s suspected leaders saying that its server was “compromised,” but at the time, it was unclear who was responsible. Reuters cites sources that say the government’s operation against ransomware hackers, including REvil, is still ongoing.

The US has been turning the screws on ransomware groups

The US is slowly turning the screws on groups associated with ransomware, as the attacks become more and more costly for companies (one company reportedly paid a $40 million ransom to restore its operations). The Treasury pushed sanctions that make it harder to turn hacked machines into cash, and the Department of Justice created a team for investigating crimes committed by cryptocurrency exchanges, citing the impact of ransomware several times in its announcement.

REvil has had plenty of heat on it due to the high-profile or high-impact nature of the attacks it’s linked to. It’s blamed for an attack on an Apple supplier that leaked schematics of the MacBooks that launched this week, as well as attacks on massive meat processor JBS, IT management software developer Kaseya, Travelex, and Acer. The group was named by the US Treasury’s Financial Crimes Enforcement Network as one of the biggest ransomware groups in terms of reported payouts.

REvil is one of the largest ransomware groups, according to the Treasury

REvil has gone offline before — its site disappeared from the dark web in July, just a month after the FBI said the group was responsible for bringing down JBS, a company responsible for a fifth of the world’s meat supply.

It’s always possible that the group could come back, though trying to recover from going down in July is reportedly what opened it up to attacks from the US in the first place. According to Reuters’ sources, one of the group’s members restored a backup and unwittingly included systems compromised by law enforcement. A Russian security expert tells Reuters that infecting backups is a tactic commonly used by REvil itself.