Russia’s Federal Security Service (FSB) has arrested members of the prolific REvil ransomware group at the request of the U.S. government, a major development that has come amid simmering geopolitical tensions between the two countries. Doubt.
In a statement, the FSB said it had detained 14 members of the REvil gang and searched 25 addresses linked to them in a single operation that resulted in the seizure of substantial assets belonging to the gang. This includes approximately $6.8 million worth of various currencies, including cryptocurrencies; 20 premium vehicles; computer equipment; and cryptocurrency wallets used by REvil Group in its operations.
This development comes amid news of a spate of cyberattacks in Ukraine today that have resulted in belongings of multiple government agencies, including the country’s Ministry of Education and its Ministry of Foreign Affairs. It is unclear whether Russian agents were behind the attack, although many believe they may be the suspects.
The FSB described its investigation as a complex and coordinated effort that led to Operation REvil being cancelled and its criminal infrastructure neutralized. The investigation and removal was initiated at the request of U.S. authorities, who identified REvil’s ringleader to the FSB and provided details of the gang’s ransomware campaign against foreign entities, FSB saysIt added that U.S. authorities have obtained full details of the operation.
REvil’s takedown is significant, at least as described by Russian authorities, because Russia has historically denied harboring organized ransomware groups and has taken no action against them despite U.S. requests. At a meeting last June, President Biden warned Russia that critical U.S. infrastructure was a no-go zone for hackers and urged Russian President Vladimir Putin to take action against ransomware and other cybercriminal groups operating abroad .
Attacks from REvil, also known as Sodinokibi, surfaced in 2020 and delivered malware to other threat groups in a ransomware-as-a-service model. The ransomware has been used in multiple attacks against major groups, but the most disturbing was an attack against JBS Foods last May that caused major disruptions in meat processing and deliveries in the United States and Australia. Another event that received widespread attention was the June 2021 attack on Kaseya, in which ransomware was deployed on systems belonging to thousands of customers of the hosting provider.
In November, the U.S. Department of Justice announced $10 million reward Information used to identify or locate key individuals within the REvil Group, and $5 million for information leading to the arrest and conviction of any affiliated company.
Doubt about real motives
On Friday, several security experts welcomed the FSB’s action, describing it as a good thing.
However, there are doubts about the real motive behind the move, as it comes amid growing tensions between the United States and Russia over fears the latter is preparing to invade Ukraine. Negotiations between the two countries to de-escalate the situation in Ukraine have so far been fruitless, amid growing fears that the conflict in the region could lead to a severe disruption to U.S.-Russian relations.
Josh Lospinoso, CEO, co-founder and founding member of Shift5, said: “Defeat REvil in negotiations with the United States would benefit Russia and help curry favor with the West that could intervene in the conflict with Ukraine. Nation.” U.S. Cyber Command. “This public display also gives Russia reasonable excuses. [that] REvil was responsible for the JBS cyber attack, and they received a ransom of $11 million. “
By taking down REvil, Russia is sending a message that they are taking cyberattacks against critical infrastructure seriously. However, Lespinoso said that ransomware groups, especially those working directly or indirectly with the Putin regime, have a history of backlash. It is likely that another group will emerge to replace REvil, he said.
Kevin Breen, director of cyberthreat research at Immersive Labs, said the current geopolitical situation makes it difficult to figure out what kind of message Russia was sending when it rolled back Operation REvil. Only time will tell whether the operation shows the willingness of Russian authorities to cooperate long-term on cybersecurity issues.
“Continued cooperation with international authorities to disrupt and stop cyberattacks originating within Russia will send a message that the government intends to push for long-term change,” Brin said.
On the surface, at least, the FSB’s ban on REvil shows Russia’s willingness to act on information from U.S. authorities and allies.chatter on underground forums Monitored Trustwave Last November, Russian threat actors feared, at least in part, that the country’s law enforcement was tracking them. According to the security vendor, some forum members even discussed the likelihood of them being caught and how to prepare, as well as any potential sentences that might ensue. REvil Group itself has ceased operations over the past few months due to heightened law enforcement concerns over its activities.
Silas Cutler, a threat analyst at Stairwell, said the arrest of REvil could be a veneer of Russia’s attempt to defend its fight against ransomware and other threat groups operating abroad. But so far, at least, the operation doesn’t appear to scare at least some cybercriminals.
“Members of the Cybercrime Forum were quick to comment, joking that the people arrested are unlikely to be key members of these groups, most likely low- and mid-level affiliates who have failed to pay the right authorities for protection,” Cutler said. “In the past few years, some ransomware families have been specifically designed not to affect systems with Russian-language artifacts, possibly ensuring that their operations remain focused only on international targets so as not to violate Russian law.”
