During the REvil ransomware attack in summer 2016, the FBI kept the key that would decrypt data and computers on as many as 1,500 networks, including those owned by schools, hospitals, and businesses, secretly for three weeks.
The FBI had accessed the REvil gang's servers in order to get the key. However, after talking with other agencies, The Washington Post reports that the bureau decided to hold off before sending the key to the victims to avoid tipping the criminals. Sources told The Post that the FBI didn't want to tip off REvil gang, but had hoped to shut down their operations.
REvil, however, went dark on July 13, before the FBI could intervene. The FBI did not give the key to REvil until July 21, for reasons that are still unclear
On Tuesday, FBI Director Christopher Wray stated to Congress that we make decisions collectively and not individually. These are complicated... decisions designed to have maximum impact. It takes time to go against adversaries, where we must marshal resources from all parts of the country and the globe.
Many years of disruption
REvil is a notorious gang that uses high-pressure tactics to extort its victims. This Russia-based gang was first seen in 2019. It made a comeback earlier this year. The group demanded $21 million from a celebrity law firm representing Madonna and U2, in March. REvil increased the demand on the law firm and released files from Lady Gagas. The gang stole data from Quanta Computer in April and published details about two Apple products. It shut down Colonial Pipelines operations in Texas and New Jersey, causing fuel shortages.
Advertisement
This summer, the group returned to prominence when it disrupted Brazilian-based meat processor JBS's operations and forced several plants in the US and Canada to close. It struck again after it took advantage of a zero-day vulnerability in remote management tools created by Kaseya (a Florida-based IT company). REvil had access to 54 service providers that manage networks for more than 1,500 companies through a hole in its VSA product.
The attack affected grocery stores in Sweden, Maryland town halls, New Zealand schools, and a hospital located in Romania. Coop, a Swedish grocery store chain, shut down 700 stores and took six days to reopen. Others were left with long-term problems to repair their systems.
They are back
Bitdefender, a cybersecurity company, published a universal encryption tool for computers and networks last Thursday. This was before REvils hibernation started on July 13. A Bitdefender executive stated that the tool has been used by approximately 250 people. According to Bitdefender, the key that made this tool possible was reportedly provided by a law enforcement agency but not the FBI.
The Post reported that REvil returned this month, with at least eight new victims. This is despite FBI efforts to shut it down. However, Bitdefender won't work for these victims. This is a sign REvil has retooled their operations after a short downtime.