The Russian FSB stated that it raided gang hideouts; seized currency, cars & personnel; & ‘neutralised’ REvil’s infrastructure.
At the request of US authorities. Russia’s Federal Security Service (FSB) swooped in to “liquidate” the REvil ransomware gang, it announced on Fri.
25 Locations
According to local reports, the country’s main security agency raided 25 locations in Leningrad, Lipetsk, Moscow &St. Petersburg, seizing assets worth more than $5.6m (426m rubles) in various forms, including $600k; €500k; various cryptocurrency amounts; & 20 luxury vehicles.
The FSB outlined that a total of 14 alleged cyber-criminals were also caught in the raid & have been charged with “illegal circulation of means of payment.” The security service also explained that it “neutralised” the gang’s infrastructure.
The reason for the attack was reportedly a formal request for action from the US, “reporting about the leader of the criminal community & his involvement in encroachments on the information resources of foreign high-tech companies by introducing malicious software, encrypting information & extorting money for its decryption,” according to an FSB media statement.
FSB & the Ministry of Internal Affairs
It added, “As a result of the joint actions of the FSB & the Ministry of Internal Affairs of Russia, the organised criminal community ceased to exist, the information infrastructure used for criminal purposes was neutralised. Representatives of the competent US authorities have been informed about the results of the operation.”
This move comes 2 weeks after a high-stakes phone call between Russian President Vladimir Putin & US President Joe Biden, who has been calling for action against Russia’s ransomware gangs for months.
REvil (aka Sodinokibi) rose as a major feature in the ransomware extortion racket – attacking ‘big-fish’ target networks (like JBS Foods) & extracting millions in ransom payments.
Headlines
It made headlines in 2021 with the sprawling zero-day supply-chain attacks on Kaseya’s customers; & was linked to the infamous Colonial Pipeline cyber-attack. This started an official complaint from Biden last summer, with a demand that Putin shut down ransomware groups residing in Russia.
In July, REvil’s servers mysteriously went dark & stayed that way for 2 months. By late summer, the group was reborn as a ransomware-as-a-service (RaaS) player, though by all accounts it was operating at a fraction of its former strength & missing key personnel.
It’s main coder, UNKN (aka Unknown), for example, reportedly left the group. It also got into trouble in the cyber-underground for cutting its RaaS affiliates out of their share of ransom payments.
Chatter
Chris Morgan, Senior Cyber-Threat Intelligence Analyst at Digital Shadows, noted that FSB’s actions sparked some ‘chatter’ on the cyber-underground about REvil being sacrificed to politics.
“It’s likely that the arrests against REvil members were politically motivated, with Russia looking to use the event as leverage; it could be debated that this may relate to sanctions against Russia recently proposed in the US, or the developing situation on Ukraine’s border,” he said.
“Chatter on Russian cyber-criminal forums identified this sentiment.”
He outlined that one user suggested that REvil members are “pawns in a big political game,” while another user suggested that Russia made the arrests “on purpose” so that the US would “calm down.”
REvil Takedown: Significant?
The reported takedown may have stopped a brand-name ransomware operator, but REvil is not what it used to be, & other groups continue to strike with impunity. LockBit 2.0, for instance, has been flourishing, as evidenced by Herjavec Group’s LockBit 2.0 profile & its long list of LockBit 2.0’s victims.
Ransomware opportunities are growing, too; Group-IB recently found that 21 new RaaS affiliate programs sprang up over the past 12 months, & the number of new double-extortion leak sites more than doubled to 28, the report observed.
So, this action may be simply a small win in the much larger battle against ransomware. However, REvil has become an important ‘symbolic’ target in this fight – not the least for its potential ties to Colonial Pipeline – & has been increasingly in government sights worldwide.
REvil’s Servers
In Oct., a multi-country undercover effort led to REvil’s servers being temporarily taken offline. In Nov., Europol announced the arrest of a total of 7 suspected REvil/GandCrab ransomware affiliates – including a Ukrainian charged by the US with ransomware assaults that include the Kaseya attacks.
Other countries have also trapped ‘affiliates’ (random cyber-attackers who rent REvil’s infrastructure), which does not affect the main gang; but in Oct., Germany identified an alleged core REvil operator, hiding in Russia & far from extradition.
Russia may gain some ‘brownie points’ for this week’s action, though researchers have long noted that the country has become a safe haven for ransomware masterminds, who avoid attacking Russian targets in exchange.
No Fear
“In Russia, they literally have no fear of being arrested,” Jon DiMaggio, Threat Group Researcher & Chief Security Strategist at Analyst1, recently commented, discussing the cyber-underground’s collective indifference at the Nov. news that REvil affiliates were being raided.
“They make comments like, ‘protect the motherland, the motherland protects you’…They put Russian flag icons on their messages.”
Could that be changing? Time will tell, researchers suggested.
“Russia acting on any cybercrime report, especially ransomware, is especially rare,” John Bambenek, Principal Threat Hunter at Netenrich, explained. “Unless it involves child exploitation or Chechens, co-operation with the FSB just doesn’t happen.
Major Change
It is doubtful that this represents a major change in Russia’s stance to criminal activity within their borders (unless they target Russian citizens) & more that their diplomatic position is untenable & they needed to sacrifice a few expendables to stall more serious geopolitical pressure.”
He added, “If this time in 3 months there isn’t another major arrest, it’s safe to assume no real change has happened with Russia’s approach.”
“It’s possible that the FSB raided REvil knowing that the group were high on the priority list for the US, while considering that their removal would have a small impact on the current ransomware landscape,” Digital Shadows’ Morgan concluded.
