IT Tips & Tricks

Published 26 October 2021

Feds & Multinational Task Force Hit Hackers in Reverse Cyber Attack


Instead of an article detailing the latest ransomware attack, we’ve got some good news to share with you. The FBI teamed up in a multinational effort to put a stop to a particular group of hackers. The result? Good guys, one. Hackers, zero. If you’re considering a data migration (such as to the Cloud, for example), this article could be pertinent to you.

The increase of ransomware attacks in 2021 has forced increased FBI involvement, culminating in a recent triumph, but this doesn’t mean we should be less vigilant in terms of our cyber security. Depending on whom you talk to and what parameters are used, the estimated 2021 increase in ransomware attacks ranges anywhere between 150 and 900 percent over the previous year. Regardless of which end of that scale you’re inclined to lean toward, the bottom line is that any increase is too much.

We’ve published several articles on this topic, variously mentioning REvil and DarkSide as two active ransomware groups. An ongoing investigation has determined that DarkSide is actually the encryption software used by REvil. The Russian-led criminal gang was responsible for the Colonial Pipeline attack in May of 2021, followed by the June attack on meatpacker, JBS, both of which we documented.

The estimated 2021 increase in ransomware attacks ranges anywhere between 150 and 900 percent over the previous year.

Last week, in a multinational operation, the tables were turned and REvil was hacked and forced offline. Additionally, their “Happy Blog” website, which has previously been used to leak victim’s data as part of their extortion racket, is no longer available.

jail-1762140_960_720 (1)

Hackers could find themselves in long-term not-so-luxury accommodations.

VMWare head of cybersecurity strategy, Tom Kellermann, commented. “The FBI, in conjunction with Cyber Command, the Secret Service and like-minded countries, have truly engaged in significant disruptive actions against these groups.” Kellermann, an adviser to the U.S. Secret Service on cybercrime investigations, added, “REvil was top of the list.”

In July, with law enforcement and intelligence cyber specialists in hot pursuit, several websites that REvil used to conduct their business went offline. Simultaneously, the main spokesperson for the group, referred to as “Unknown,” seemingly vanished from the internet. (We’ve restrained ourselves from “whereabouts unknown” puns.)

A Virtual Silver Platter

As luck would have it, in September an enthusiastic gang member by the name of O_neday took it upon himself to restore those websites from a backup, unaware that he’d restarted some internal systems that were already controlled by law enforcement.

“The REvil ransomware gang restored the infrastructure from the backups under the assumption that they had not been compromised,” said Oleg Skulkin, deputy head of the forensics lab at the Russian-led security company Group-IB. “Ironically, the gang's own favorite tactic of compromising the backups was turned against them.”

The irony exists because backups are seen as one of the best ways to protect your organization from ransomware attacks. The attacker obviously failed to recognize that he, one day, might become the attacked.

Additionally, the REvil crew had apparently also not read our article, “Cloud Security and the Email from Hell.” Had they stored their backups offline, they may have avoided the experience of the Feds giving them a dose of their own medicine. But they didn’t.

From the above-mentioned article: “The truth is, for the most part, hackers like a soft target. In other words, they’re looking for a quick, easy win, the soft underbelly of your system. They’re looking for insecure backup infrastructure and they’re looking for weak Cloud security.” Perhaps thinking themselves impervious, REvil inadvertently rolled over and presented its soft underbelly. And the Feds and multinational task force willingly scratched it.

Ironically, the gang’s own favorite tactic of compromising the backups was turned against them.

We doubt that O_neday will be collecting the employee of the month award anytime soon.

According to Reuters, “One person familiar with the events said that a foreign partner of the U.S. government carried out the hacking operation that penetrated REvil's computer architecture. A former U.S. official, who spoke on condition of anonymity, said the operation is still active.”


Tom Kellerman, cybercrime adviser to the U.S. Secret Service.

The success stems from a determination by the U.S. Deputy Attorney General that ransomware attacks on critical infrastructure should be treated as a national security issue akin to terrorism, Kellermann said. In June, Principal Associate Deputy Attorney General John Carlin told Reuters the Justice Department was elevating investigations of ransomware attacks to a similar priority. This gave the Justice Department and other agencies a legal basis to ask for help from US intelligence agencies and the Department of Defense, Kellermann explained. “Before, you couldn’t hack into these forums, and the military didn't want to have anything to do with it. Since then, the gloves have come off.”

What does this mean for those wanting to perform a Cloud migration?

Full Steam Ahead

For most of us, it doesn’t alter much, other than knowing that hackers and ransomware groups may actually have to face the consequences of their actions. Should we continue to be security-conscious? Absolutely. Should we be hesitant about migrating to the Cloud? Absolutely not. If you’re planning a data migration, go for it — full steam ahead. If you’re concerned about security, we suggest you read “Cloud Security and the Email from Hell” for some helpful guidelines and battle plan basics as a good starting point.

REvil inadvertently rolled over and presented its soft underbelly.

The truth is that for the vast majority of businesses, the Cloud is the way forward. It offers a multitude of benefits and smart solutions for modern, growing companies, and security concerns should not outweigh the benefits of the Cloud.

If you’d like to discuss your cloud migration with a friendly and knowledgeable consultant, call 727-442-1822 or visit to discover how to avoid one of the most common causes of data loss during a migration. If your interest is specifically in SharePoint, check out the several SharePoint-related articles on our Tips & Tricks page.

The FBI also offers tips for avoiding ransomware on their website.

Feel free to share this article on your social media: