Russia’s REvil Takedown Sets the Stage for Various Scenarios


Russian authorities reported Friday that they have shut down REvil ransomware operations and arrested a dozen or more gang members.

The Federal Security Service (FSB) of the Russian Federation said it shut down the REvil ransomware gang after the leader was reported by US authorities.

Russian police raided 25 homes owned by 14 suspected gang members located in the Moscow, St. Petersburg, Leningrad and Lipetsk regions, according to the Russian security agency’s press release.

Authorities reportedly seized more than 426 million Russian rubles, plus US$600,000 and €500,000 in cash, along with cryptocurrency wallets, computers and 20 expensive cars.

The FSB is Russia’s internal intelligence agency. He performed his operation at the request of US authorities, who were notified of his results, according to the press release.

The REvil group is a well-known ransomware gang that has wreaked havoc on many organizations around the world, said Joseph Carson, chief security scientist and advisory CISO at Tico Tico. Therefore, it is not surprising that they are a target.

“Many hackers around the world are using their skills for good, and this includes government hackers who are working aggressively to defend society from cybercrime. So targeting REvil will likely be a statement that governments will work together to stop cybercriminals at the source,” he told TechNewsWorld.

Capture and seize the details

The group had “ceased to exist”, according to FSB statements. The agency said it acted after receiving information about the REvil group from the US.

The raid follows repeated requests by US authorities over the summer to take action against the Russian underground cyber ecosystem. Presumably in response, the REvil gang shut down in July, but resumed operations in September before US authorities seized some of its dark web servers.

In addition to the reported arrests in Russia, seven other REvil gang members were also arrested throughout 2021. Those arrests followed coordinated operations by the FBI and Europol.

“The detained members were charged with committing crimes under Part 2 of Art. 187 ‘Illegal circulation of means of payment’ of the Russian Criminal Code,” the FSB said in its press release.

The REvil gang committed two major legal violations, according to the Russian news agency TASS. Cybercriminals developed malicious software and organized the theft of money from the bank accounts of foreign citizens.

Few ids released

Russian authorities did not initially identify any of the detained suspects. Later, however, the Russian media outlet RBC named a suspect as Roman Muromsky, and TASS identified a second member as Andrei Bessonov.

The Russian national news agency RIA Novosti published video footage of some of the raids.

The suspects are unlikely to face charges in the US The Russian government does not have a legal mechanism to extradite its own citizens, some reports suggested.

Russian officials briefed US representatives on the results of the operation, according to the FSB. The agency described the event as a rare collaboration with US authorities.

Russia acting on any cybercrime report, especially ransomware, is especially rare, noted John Bambenek, a top threat hunter at Netenrich. Unless it involves child exploitation or Chechens, cooperation with the FSB just doesn’t happen.

“It is doubtful that this represents a major change in Russia’s stance towards criminal activity within its borders… If there is not another major arrest this time in three months, it is safe to assume that no real change has occurred with the approach of Russia,” he said. TechNewsWorld.

“However, it is a big arrest and will have a significant short-term impact in reducing ransomware,” he added.

part of a pattern

Traditional ransomware techniques didn’t need to be advanced to be effective, according to Adam Gavish, co-founder and CEO of DoControl. It’s a simple rinse and repeat process.

“The human element remains a major problem. People make mistakes. They can easily become the target of a social engineering campaign, increasing the likelihood that the employee will click on a phishing email. Your endpoint is compromised, malicious code replicates and spreads throughout the IT estate. Simple,” he told TechNewsWorld in explaining why ransomware attacks are successful.

With the rise of cloud adoption, attackers have put SaaS applications in the crosshairs, he added. Arming the many vulnerabilities that exist with SaaS applications is the next phase of advanced ransomware attacks. Attackers recognize that the crown jewels of a company, its data, is stored, manipulated and shared in these critical business applications hosted in the cloud.

“As with the cloud, securing SaaS is a shared responsibility between the service provider and consumer,” Gavish added.

Modern businesses have an obligation to better protect files and data within SaaS through a defense-in-depth approach, he suggested. If an endpoint is compromised, there must be a way to prevent employees or external collaborators from accessing the malicious files.

international harmonics

The specific dialogue between the United States and Russia regarding this operation remains unclear. But the FSB confirmation could represent an indirect message highlighting that Russian authorities can be used to stop ransomware activity, but only under certain circumstances, suggested Chris Morgan, senior analyst for cyber threat intelligence at digital shadows.

“The police operation coincided with several defacement attacks that were carried out against Ukrainian government websites. They have not yet been publicly attributed with confidence, but are widely suspected to have been carried out by Russian-aligned threat actors,” he told TechNewsWorld.

The arrests against REvil members were likely politically motivated, with Russia seeking to use the event as leverage, Morgan noted. This may be related to the recently proposed sanctions against Russia in the US, or the developing situation on the Ukraine border, he offered.

ulterior motives

The FSB targeting REvil, which has not been publicly active in carrying out attacks since October 2021, is also significant, Morgan continued. Chatter on Russian cybercriminal forums identified this sentiment, suggesting that REvil were “pawns in a grand political game,” he said.

Another forum participant suggested that Russia deliberately made the arrests to calm the United States down, Morgan added. It is possible that the FSB raided REvil knowing that the group was high on the US priority list, while considering its removal would have little impact on the current ransomware landscape.

Speaking about the cybercriminals forum, Morgan reiterated that these arrests could also have had a secondary purpose. For example, they could be a warning to other ransomware groups.

“REvil made international headlines last year by attacking organizations like JBS and Kaseya, which were high-profile and high-impact attacks. Some might interpret a series of very public raids as a message to take their targets into account,” he said.


Please enter your comment!
Please enter your name here