Law enforcement actions often fail to stop cybercriminal activity. But last week’s arrest of several members of the notorious REvil ransomware group in Russia, as well as the dismantling of its criminal infrastructure, appears to have finally caught the attention of at least some threat actors.
Trustwave researchers, who regularly tracked chats on underground forums this week, observed signs of considerable anxiety and panic among Eastern European cybercriminals in the days following REvil’s arrest. Many threat actors clearly appear to have little confidence in Russia as a safe haven for their operations and are concerned that cooperation between Russian and U.S. authorities could pose major problems for them in the future.
“We observed threat actors [have been] Karl Sigler, senior security research manager at Trustwave SpiderLabs, said: “What used to feel invulnerable, now feels a little unstable, fearful and paranoid.” How long this feeling lasts depends entirely on how punitive the subsequent legal action is. Those who were arrested, he said.
On Friday, Russia’s Federal Security Service (FSB) announced the arrest of 14 members of the REvil gang and a search of 25 locations associated with the individuals in an effort to disrupt REvil’s sprawling ransomware operation. The raid resulted in the seizure of $6.8 million in various currencies by the FSB, as well as 20 luxury cars, cryptocurrency wallets and computer equipment used by gang members in Operation REvil.
Many security experts are skeptical of the arrests, which come at a time of tense negotiations between the United States and Russia over the latter’s possible invasion of Ukraine. Skeptics see the FSB’s move as an attempt to curry favor with the United States, which was deeply concerned about the threat posed by REvil following devastating ransomware attacks against JBS Foods and Kaseya by groups using the malware in May and June last year.
Despite the dubious motives, the FSB’s actions are significant, marking the first time Russian authorities have taken action against a major cyber threat group operating within its borders — and at the behest of the United States. In the past, Russia has even refused to admit that threat actors may operate freely within the country, as they see it as a safe haven for them.
Discover the wave of trust That complacency has been shaken considerably by the FSB’s surprise arrests last week. Security vendors have observed threat actors on underground forums expressing concern about being arrested and Russia no longer being a safe place for their operations. Some have even started discussing the potential to move operations to India, the Middle East, China and even Israel.
“In fact, it is clear that those who expect the state to protect them will be greatly disappointed,” Trustwave quoted a forum member as saying.
fear, uncertainty and doubt
Trustwave found that the arrests also fueled paranoia within the Eastern European cybercriminal community about potential moles in their ranks. Apparently, there are concerns that a forum administrator is secretly cooperating with law enforcement. Doubts about the individual’s dual role prompted a forum member to announce plans to publish some of his personal communications with moderators, potentially linking the individual to the forum’s illegal activities.
Others have begun offering advice on how to mitigate law enforcement risks by leveraging mechanisms such as Tor, deleting old messages, using encryption, and not keeping all stolen data and other artifacts on a single computer. Trustwave observed a forum member saying: “It’s dangerous to write anything anywhere these days. All posts need to be cleaned up, those related to cybercrime.”
One of the tricks cybercriminals offer to each other is to avoid getting noticed with REvil-like attacks on major, multi-billion U.S. organizations and targets in critical infrastructure areas such as JBS Foods. Trustwave observed that several forum members believe that REvil’s downfall was due to its well-known boasting and unbridled targeting of groups located in countries capable of pressuring the Russian government to act.
Sigler said chat volumes on underground forums were higher than previously observed.
“The level of fear of being arrested and the discussion surrounding the possibility that their home is no longer a safe haven is unique,” he said. “There are serious concerns that cooperation between the US and Russia will be an issue for their future business.”
