Russian authorities announced Friday that they raided one of the most prominent ransomware gangs, known as REvil, arrested 14 of its members and halted the group’s operations at the request of the U.S. government.
Russia’s Federal Security Service, or FSB, said in a statement that it also seized millions in cash, luxury cars and cryptocurrency wallets in the raids, which took place across several Russian cities. Russian news agency TASS later released a video of part of the bust.
What is REvil?
REvil is a major ransomware-as-a-service operator, which provides malware to affiliates who then launch attacks, in exchange for a cut of the ransom. The group, whose members are believed to be based in Russia and Eastern European nations, is responsible for a number of high-profile attacks in recent years, according to U.S. authorities, including ransomware attacks on meatpacker JBS SA in June 2021, and technology provider Kaseya Ltd. in July. The group has also been known by other names, such as Sodinokibi.
What is the significance of these arrests?
The FSB operation is one of the first major publicly disclosed Russian law-enforcement actions against cybercriminal gangs.
The U.S., which posted a reward of up to $10 million for information leading to the arrest of senior REvil figures, and international allies have also conducted operations against REvil in recent months. Authorities in Poland and Romania have arrested suspected members and affiliates through August and November, and the group’s infrastructure disappeared from the internet in July, only to briefly reappear and then disappear again in October.
“It’s very surprising that the Russians started to play ball in the ransomware fight,” said Alexandru Cosoi, chief security strategist at cybersecurity company Bitdefender Inc., which tracks REvil activity. In September, Bitdefender released a tool to decrypt data locked up by REvil malware.
How will this affect ransomware attacks from REvil in the future?
Ransomware gangs frequently disband and reform under new names, particularly if an affiliate attacks a major target that draws the attention of law-enforcement agencies. The May 7, 2021, attack on Colonial Pipeline Co., for instance, resulted in the disbandment of the Darkside ransomware group, only for it to re-emerge under the name BlackMatter soon after.
REvil itself emerged after the 2019 takedown of the GandCrab ransomware group.
The scale of the FSB’s operation may signal a more permanent end to REvil, said Raj Samani, chief scientist at McAfee Corp. However, analysts say it is too early to tell whether this will discourage other gangs from launching attacks.
“The effect that this will have on the scale of ransomware attacks moving forward will depend on if this is a one-off, or if more arrests happen. One arrest a month for a few months, then all of these guys will start to re-evaluate their life choices,” said John Bambenek, principal threat hunter at cybersecurity firm Netenrich Inc.
Does this signal a shift in how cybercrime is being prosecuted in Russia?
The U.S. government has been outspoken about the need for Moscow to act against hackers who launch attacks from inside its borders, both publicly and through what a senior U.S. official described as private, bilateral channels. President
and Russian President
have also discussed the issue of Russian-based cyberattacks in direct talks.
Cybersecurity analysts have previously accused the Russian government of providing safe harbor for cybercriminals, as gangs such as REvil have included code in their systems that scan for signs a victim is in the Commonwealth of Independent States, such as the use of Cyrillic keyboards, and avoid targeting them. Moscow has consistently denied supporting cybercriminals.
However, cybersecurity experts have expressed skepticism that the REvil arrests represent a turning point in how Russia handles homegrown hackers. Chris Morgan, a senior cyber threat intelligence analyst at cybersecurity company Digital Shadows Ltd., said that chatter on cybercriminal forums suggested that the move was politically motivated to ease tensions with the U.S. government, which are currently heightened over both cybercrime and Russian military activity on its border with Ukraine.
Mr. Morgan said the operation may also have been intended as a warning to other groups.
“REvil made international news last year in its targeting of organizations such as JBS and Kaseya, which were high profile and impactful attacks; a very public series of raids could be interpreted by some as a message to be mindful of their targeting,” he said.
Write to James Rundle at email@example.com, Catherine Stupp at Catherine.Stupp@wsj.com and Kim S. Nash at firstname.lastname@example.org
Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8