The agency cited three private sector security experts working with the US Government and one ex-official as it sources.
On Wednesday, the news surfaced that the REvil site on the dark web was offline. One Dmitry Smilyanets, who works for the threat intelligence firm Recorded Future and also writes for The Record, a website belonging to the company, claimed to have found a thread claiming to offer the reason for the disappearance of REvil. The CIA's investment arm, In-Q-Tel is an investor in Recorded Future.
Ransomware threat researcher Brett Callow, from the New zealand-headquartered security outfit Emsisoft, had cautioned the same day about believing any of the chatter around the incident. REvil, which is also known as Sodinokibi, attacks only systems running Microsoft's Windows operating system.
Kellerman is an adviser to the US Secret Service on cyber crime.
Replace 64 with 65. https://t.co/duNpMcyO0a— Brett Callow (@BrettCallow) October 21, 2021
REvil went offline in July for the first time, after the ransomware had been used to attack about 60 managed service providers, using a zero-day flaw in the Kaseya VSA remote management software. Kaseya is a solutions developer for MSPs.
Roughly two months later, REvil came back online. There has been speculation that the dark web operations of REvil disappeared in July due to a technical issue. Once the site came back online, it was taken to mean that the operators had been merely lying low.
Pressure on ransomware gangs has increased after a hit on the Colonial pipeline in the US in May by the DarkSide ransomware gang.
That was ramped up further after the Kaseya incident, with US President Joe Biden raising the issue with his Russian counterpart, Vladimir Putin, during talks.
The US convened an online meeting of some 31 countries recently to discuss steps to prevent ransomware attacks, but for some unknown reason did not invite either Russia or China
Oleg Skulkin, deputy head of the forensics lab at Russian security company Group-IB, said: “The REvil ransomware gang restored the infrastructure from the backups under the assumption that they had not been compromised.
“Ironically, the gang's own favorite tactic of compromising the backups was turned against them.”