Russia Takes Down REvil Ransomware Operation, Arrests Key Members

Russia’s Federal Security Service (FSB) has arrested members of the productive REvil ransomware group at the request of the US government in a significant development that is received with some skepticism given its timing amid the geopolitical tensions between the two nations.

In a statement, the FSB said it had detained 14 members of the REvil gang and searched 25 addresses associated with them in an operation that resulted in the seizure of several assets belonging to the group. This included the equivalent of about $ 6.8 million in various currencies, including cryptocurrency; 20 premium vehicles; computer equipment; and cryptocurrency wallets the REvil Group used in its operations.

This development comes amid the news of a series of cyber attacks in Ukraine today that brought down websites belonging to several government agencies, including the country’s Ministry of Education and its Ministry of Foreign Affairs. It is still unclear whether Russian-based operators are behind the attacks, though many have faked them as likely suspects.

The FSB described its investigation as a complex and coordinated effort that resulted in the removal of the REvil operation and the neutralization of its criminal infrastructure. The investigation and dismantling was launched at the instigation of the US authorities, who identified REvil’s head of the FSB and provided detailed information about the gang’s ransomware activities targeting foreign entities, the FSB said. The US authorities have been given all the details about the operation, it added.

The REvil takeover, at least as described by Russian authorities, is important because Russia has historically refused to house organized ransomware groups and has not taken any action against them despite US requests. At a meeting in June last year, President Biden warned Russia that US critical infrastructure was banned from hackers and called on Russian President Vladimir Putin to take action against ransomware and other cybercrime groups working out of the country.

Attack activity from REvil, also known as Sodinokibi, appeared in 2020 and offered malware under a ransomware-as-service model to other threat groups. The ransomware has been used in several attacks on major organizations, but none is as worrying as one against JBS Foods in May last year, which caused major disruption to meat processing and delivery in the United States and Australia. Another incident that caused widespread concern was the attack on Kaseya in June 2021, in which ransomware was implemented on systems belonging to thousands of customers of managed service providers.

In November, the U.S. Department of Justice announced a $ 10 million reward for information leading to the identification or location of key individuals in the REvil group and $ 5 million for information leading to the arrest and conviction of any affiliate.

Skepticism about true motives
Several security experts on Friday welcomed the FSB’s action and described it as an overall good thing.

However, there is some skepticism about the true motives behind this action, given that it comes amid growing tensions between the United States and Russia over concerns that the latter is preparing to invade Ukraine. Talks between the two countries to de-escalate the situation in Ukraine have so far led nowhere, and there is growing concern that the conflict in the region could lead to a major disruption in relations between the United States and Russia.

“Taking down REvil serves Russia well during negotiations with the US and helps win the favor of Western countries that are likely to intervene in the conflict with Ukraine,” said Josh Lospinoso, CEO and co-founder of Shift5 and founding member of US Cyber Command. “This public display also gives Russia a plausible denial [that] REvil was responsible for JBS’s cyberattacks, where they received $ 11 million in ransom. “

By shutting down REvil, Russia is sending the message that it takes the cyber-attack on critical infrastructure seriously. But ransomware groups, especially those working directly or indirectly with Putin’s regime, have a history of returning, Lospinoso said. It is quite likely that another group will show up to replace REvil, he said.

Kevin Breen, director of cyber threat research at Immersive Labs, says the current geopolitical situation makes it difficult to figure out what kind of message Russia is sending with the removal of the REvil operation. Only time will tell whether the operation signals a long-term willingness to cooperate on cyber security issues on the part of Russian authorities.

“Ongoing cooperation with international authorities to disrupt and deter cyberattacks originating in Russian territory will send a message that the government intends to push for too long-term change,” Breen said.

On the surface, the FSB’s removal of REvil signals at least a willingness on the part of Russia to act on the basis of information from US authorities and the allied nations. Chatter on underground forums, which Trustwave monitored last November, showed at least some degree of fear among Russian-based threat actors that law enforcement in the country tracked them down. According to the security provider, some forum members even discussed whether they could be caught and how to prepare for it, as well as any sentences that might follow. The REvil group even conducted operations in the last few months due to increased attention from the police on their activities.

Silas Cutler, a threat analyst at Stairwell, says the REvil arrests could be an attempt by Russia to maintain an apparent effort to combat ransomware and other threatening groups operating out of the country. But so far, the action seems to have done little to intimidate at least some cybercriminals.

“Members of cybercrime forums have been quick to comment and make jokes that the detainees are unlikely key members of these groups and likely affiliates at low-middle level who failed to pay the proper authorities for protection,” Cutler said. “Over the past many years, some ransomware families have been specifically designed not to affect systems with Russian language artifacts, which is likely to ensure that their operations remain focused only on international goals, so as not to violate Russian laws.”


Leave a Reply

Your email address will not be published.