Following the shutting down of REvil's networks and infrastructure last week by the law authorities, the Groove ransomware gang has called on certain other extortion organizations to strike US interests.
The REvil ransomware campaign was halted again during the weekend, according to Bleeping Computer, when an unidentified third party hacked its dark web domains. The Russian-led REvil ransomware syndicate was brought down by an extensive multi-country law enforcement investigation in the last week, which led to its network getting hacked and getting knocked offline again for the second time, in the latest effort taken by governments to destabilize the lucrative ecosystem.
Whilst this takedown, a recognized REvil operator alleged that the unknown party was "looking" for them by changing configuration settings to lure the threat actor into visiting a site maintained by the mysterious entity. According to Reuters, REvil's takedown was the culmination of a multinational law enforcement effort that included FBI assistance.
In a Russian blog post, the Groove ransomware group urged all the other ransomware organizations to target and attack US interests.
The blog post also urges ransomware operators not to target Chinese enterprises, as organizations may need to utilize the nation as a haven if Russia takes a tougher stance against cybercriminals operating within its borders.
The entire translated message, with some unacceptable phrases censored, read:
"In our difficult and troubled time when the US government is trying to fight us, I call on all partner programs to stop competing,
unite and start xxcking up the US public sector, show this old man who is the boss here who is the boss and will be on the Internet while our boys were dying on honeypots, the nets from rude aibi squeezed their own... but he was rewarded with higher and now he will go to jail for treason, so let's help our state fight against such ghouls as cybersecurity firms that are sold to amers, like US government agencies, I urge not to attack Chinese companies, because where do we pinch if our homeland suddenly turns away from us, only to our good neighbors - the Chinese! I BELIEVE THAT ALL ZONES IN THE USA WILL BE OPENED, ALL xxOES WILL COME OUT AND xxCK THIS xxCKING BIDEN IN ALL THE CRACKS, I myself will personally make efforts to do this" - Groove ransomware.
The possibility of assaults on US interests is consistent with previous information supplied this week to BleepingComputer by a threat intelligence analyst for a Dutch bank.
After closing down and separating from the original Babuk Ransomware operation, a threat actor identified as 'Orange' created the RAMP hacker forum in July 2021. Because Orange still had control of Babuk's Tor site, he utilized it to build the hacker forum wherein he served as an administrator. Orange is also thought to be a symbol of the Groove ransomware attack.
Orange recently resigned as the forum's administrator to explore a new venture, but he provided no additional details.
In addition, a subsequent tweet implies that the malicious actor is likely launching a new ransomware campaign after actively seeking the purchase of network access to US hospitals and government entities.
It's indeed unknown if 'Orange' would carry out these assaults on US firms as part of the Groove operation or initiate a separate ransomware campaign.
