At Request of U.S., Russia Rounds Up 14 REvil Ransomware Affiliates – Krebs on Security

The Russian government said today that it had arrested 14 people accused of working for “REvil“, a particularly aggressive ransomware group that has extorted hundreds of millions of dollars from victims’ organizations. The Russian Federal Security Service (FSB) said the actions were taken in response to a request from US officials, but many experts believe the repression is part of an attempt to reduce tensions over Russian President Vladimir Putin’s decision to station 100,000 troops along the nation’s border to Ukraine.

FSB headquarters on Lubyanka Square, Moscow. Image: Wikipedia.

The FSB said it arrested 14 REvil ransomware members and searched more than two dozen addresses in Moscow, St. Petersburg. Petersburg, Leningrad and Lipetsk. As part of the raids, the FSB seized more than $ 600,000 US dollars, 426 million rubles (~ 5.5 million dollars), 500,000 euros and 20 “premium cars” purchased with funds obtained from cybercrime.

“The search activities were based on appeals from the US authorities, who reported on the leader of the criminal community and his involvement in infiltrating information resources from foreign high-tech companies by introducing malicious software, encrypting information and extorting money for its decryption,” said the FSB. “Representatives of the US competent authorities have been informed of the results of the operation.”

The FSB did not release the names of any of the detainees, despite a report by the Russian news agency TASS mentions two defendants: Roman Gennadyevich Muromsky, and Andrey Sergeevich Bessonov. Russian media RIA Novosti released video footage from some of the raids:

REvil is widely believed to be a reincarnation of GandCrab, a Russian-language ransomware-affiliated program that boasted of stealing more than $ 2 billion when it closed the store in the summer of 2019. For about the next two years, REvil’s “Happy Blog” would release press releases , naming and insulting dozens of new victims every week. An analysis from February 2021 by researchers at IBM showed that the REvil gang earned more than $ 120 million in 2020 alone.

But all that changed last summer when REvil associated with working with another ransomware group – Dark side – the attack Colonial pipeline, causing fuel shortages and price increases throughout the United States. Just months later, a police operation in several countries allowed investigators to hack into the REvil gang’s operations and force the group offline.

In November 2021, Europol announced that they had arrested seven REvil affiliates, who collectively demanded ransoms of more than $ 230 million since 2019. At the same time, U.S. authorities dropped two charges against a pair of accused REvil cybercriminals, who referred to the men as “REvil Affiliate # 22 “and” REvil Affiliate # 23. “

It’s clear that the US authorities have known the real names of REvil’s top captains and moneylenders for some time. Last fall, President Biden told Putin that he expects Russia to act when the United States shares information about specific Russians involved in ransomware activity.

So why now? Russia has gathered about 100,000 troops along its southern border with Ukraine, and diplomatic efforts to eliminate the situation have reportedly broken down. Washington Post and other media outlets report today that the Biden administration has accused Moscow of sending saboteurs into eastern Ukraine to stage an incident that could give Putin a pretext to order an invasion.

“The most interesting thing about these arrests is the timing,” he said Kevin Breen, director of threat research at Immersive Labs. “For years, the Russian government’s policy toward cybercriminals has been less than proactive to say the least. With Russia and the United States currently at the diplomatic table, these arrests are likely to be part of a much broader, multi-layered, political negotiation.”

President Biden has warned that Russia can expect severe sanctions if it chooses to invade Ukraine. But Putin has said in return that such sanctions could cause a complete break in diplomatic relations between the two countries.

Dmitri Alperovitch, co-founder and former chief technology officer of security firm CrowdStrike, called the REvil arrests in Russia “ransomware diplomacy.”

“This is Russian ransomware diplomacy,” Alperovitch said on Twitter. “It’s a signal to the United States – if you do not impose severe sanctions on us for invading Ukraine, we will continue to work with you on ransomware investigations.”

The REvil arrests were announced as many government websites in Ukraine were marred by hackers with an ominous message warning Ukrainians that their personal data was being uploaded to the internet. “Be afraid and expect the worst,” the message warned.

Experts say there is good reason for Ukraine to be scared. Ukraine has long been used as a testing ground for Russian offensive hacking capabilities. State-backed Russian hackers have been blamed for the December 23, 2015 cyber attack on Ukraine’s electricity grid, leaving 230,000 customers shaking in the dark.

The warning left on Ukrainian government websites that have been destroyed within the last 24 hours. The same statement is written in Ukrainian, Russian and Polish.

Russia has also been suspected of releasing NotPetya, a large-scale cyber attack that was originally aimed at Ukrainian companies, which ended up creating an extremely disruptive and costly global malware outbreak.

Although there has been no clear attribution of these recent attacks to Russia, there is reason to suspect Russia’s hand, he said. David Salvo, Deputy Director of the Alliance for the Security of Democracy.

“This is proven and genuine Russian tactic. Russia used cyber-operations and information operations in the run-up to its invasion of Georgia in 2008. It has long led to massive cyber attacks on Ukrainian infrastructure, as well as information operations targeting Ukrainian soldiers and Ukrainian citizens. And it’s completely surprising, that it would use this tactic now that it is clear that Moscow is looking for a pretext to invade Ukraine again and blame the West in its typical cynical way. “


Leave a Reply

Your email address will not be published. Required fields are marked *