Speculation that REvil's second disappearance may have been induced by law enforcement activity seems to have been borne out. Reuters reported late yesterday that REvil's difficulties in reestablishing itself, including its loss of keys and loss of control over its servers, were due to a concerted effort by law enforcement, intelligence, and military agencies, with the cooperation of private security companies, to knock the gang offline. One feature of the operation appears to have been the compromise of REvil's backups. A representative of the US National Security Council said only, Computing says, "a whole of government ransomware effort, including disruption of ransomware infrastructure and actors." It was also an international operation, with participation by other unspecified but "like-minded countries."
The cyber underworld will adapt, and is already showing signs of doing so, security firms note. Kaspersky researchers looked specifically at Russophone gangland, the criminal market leader, and found increased division of labor, commodification, and C2C marketing.
CISA warned yesterday that a GPS Daemon (GPSD) rollover bug will hit Network Time Protocol servers this Sunday, October 24th, rolling the date back 1024 weeks (it's a punning bug: ten twenty four, like Sunday's date) to March 2002, with predictable disruption to services using NTP. The problem affects only GPSD versions 3.20 through 3.22. The fix is an obvious one: upgrade systems to version 3.23 or later. CISA recommends that concerned users consult the SANS Institute's account of the bug for more background and information.
CISA has also issued four ICS-CERT advisories yesterday.