[BreachExchange] What Russia’s Arrest of REvil Hackers Means for Ransomware

[Terrell Byrd]

https://www.wsj.com/articles/what-the-russian-crackdown-on-revil-means-for-ransomware-11642188675


Russian authorities announced Friday that they raided one of the most
prominent ransomware gangs, known as REvil, arrested 14 of its members and
halted the group’s operations at the request of the U.S. government.

“These are very important steps, in that they represent the Kremlin taking
action against criminals operating from within its borders, and they
represent what we’re looking for with regard to continued activities like
these in the future,” a senior U.S. government official said in a call with
reporters Friday evening.

Russia’s Federal Security Service, or FSB, said in a statement that it also
seized millions in cash, luxury cars and cryptocurrency wallets in the
raids, which took place across several Russian cities. Russian news agency
TASS later released a video of part of the bust.

What is REvil?

REvil is a major ransomware-as-a-service operator, which provides malware
to affiliates who then launch attacks, in exchange for a cut of the ransom.
The group, whose members are believed to be based in Russia and Eastern
European nations, is responsible for a number of high-profile attacks in
recent years, according to U.S. authorities, including ransomware attacks
on meatpacker JBS SA in June 2021, and technology provider Kaseya Ltd. in
July. The group has also been known by other names, such as Sodinokibi.

What is the significance of these arrests?

The FSB operation is one of the first major publicly disclosed Russian
law-enforcement actions against cybercriminal gangs.

The U.S., which posted a reward of up to $10 million for information
leading to the arrest of senior REvil figures, and international allies
have also conducted operations against REvil in recent months. Authorities
in Poland and Romania have arrested suspected members and affiliates
through August and November, and the group’s infrastructure disappeared
from the internet in July, only to briefly reappear and then disappear
again in October.

“It’s very surprising that the Russians started to play ball in the
ransomware fight,” said Alexandru Cosoi, chief security strategist at
cybersecurity company Bitdefender Inc., which tracks REvil activity. In
September, Bitdefender released a tool to decrypt data locked up by REvil
malware.

How will this affect ransomware attacks from REvil in the future?

Ransomware gangs frequently disband and reform under new names,
particularly if an affiliate attacks a major target that draws the
attention of law-enforcement agencies. The May 7, 2021, attack on Colonial
Pipeline Co., for instance, resulted in the disbandment of the Darkside
ransomware group, only for it to re-emerge under the name BlackMatter soon
after. The senior U.S. official said that one of the people arrested in the
FSB raids was responsible for the attack on Colonial.

REvil itself emerged after the 2019 takedown of the GandCrab ransomware
group.

The scale of the FSB’s operation may signal a more permanent end to REvil,
said Raj Samani, chief scientist at McAfee Corp. However, analysts say it
is too early to tell whether this will discourage other gangs from
launching attacks.

“The effect that this will have on the scale of ransomware attacks moving
forward will depend on if this is a one-off, or if more arrests happen. One
arrest a month for a few months, then all of these guys will start to
re-evaluate their life choices,” said John Bambenek, principal threat
hunter at cybersecurity firm Netenrich Inc.

Does this signal a shift in how cybercrime is being prosecuted in Russia?

The U.S. government has been outspoken about the need for Moscow to act
against hackers who launch attacks from inside its borders, both publicly
and through what a senior U.S. official described as private, bilateral
channels. President Joe Biden and Russian President Vladimir Putin have
also discussed the issue of Russian-based cyberattacks in direct talks.

Cybersecurity analysts have previously accused the Russian government of
providing safe harbor for cybercriminals, as gangs such as REvil have
included code in their systems that scan for signs a victim is in the
Commonwealth of Independent States, such as the use of Cyrillic keyboards,
and avoid targeting them. Moscow has consistently denied supporting
cybercriminals.

However, cybersecurity experts have expressed skepticism that the REvil
arrests represent a turning point in how Russia handles homegrown hackers.
Chris Morgan, a senior cyber threat intelligence analyst at cybersecurity
company Digital Shadows Ltd., said that chatter on cybercriminal forums
suggested that the move was politically motivated to ease tensions with the
U.S. government, which are currently heightened over both cybercrime and
Russian military activity on its border with Ukraine. The senior U.S.
official said that the FSB operation was the result of intelligence sharing
between the U.S. and Russian governments on cyberattacks, and was unrelated
to the situation in Ukraine.

Mr. Morgan said the operation may also have been intended as a warning to
other groups.

“REvil made international news last year in its targeting of organizations
such as JBS and Kaseya, which were high profile and impactful attacks; a
very public series of raids could be interpreted by some as a message to be
mindful of their targeting,” he said.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220118/b2539512/attachment.html>