More than a dozen members of the REvil ransomware group have been arrested courtesy of the Russian government. On Friday, the Federal Security Service of the Russian Federation announced a joint effort between it and the Ministry of Internal Affairs of Russia that led to the arrest of 14 people associated with the infamous cybercrime group.
SEE: Ransomware: What IT pros need to know (free PDF) (TechRepublic)
Some 25 residential addresses were searched with not only the 14 people arrested but several assets seized, including more than 426 million rubles, €500,000, $600,000 in U.S. dollars, crypto wallets, computer equipment and 20 luxury cars bought with money obtained from the group’s crimes.
The arrested individuals were charged with committing crimes under Part 2 of Article 187 “Illegal circulation of means of payment” of the Criminal Code of Russia.
The operation was conducted at the request of U.S. authorities, according to the FSB, which added that the U.S. was informed of the outcome. “The investigative measures were based on a request from the … United States,” the FSB said, according to Reuters. “The organized criminal association has ceased to exist, and the information infrastructure used for criminal purposes was neutralized.”
As ransomware attacks have grown more common and more destructive over the past couple of years, REvil became infamous as one of the major culprits. The group brought undue attention to itself last year following its attack against enterprise IT firm Kaseya, an incident that affected more than 1,000 organizations across the firm’s supply chain. Another attack against meat processing company JBS Foods further brought REvil into the spotlight.
The group was reportedly taken down last October by a multi-nation operation in which law enforcement officials and cyber specialists hacked into REvil’s computer network infrastructure, taking control of some of its infrastructure. Since then, group members have been flying under the radar but clearly were still at large.
The Biden administration has been pressuring Russia to take ransomware and its perpetrators seriously, especially amid allegations that groups like REvil have operated with at least the tacit permission of the former Soviet Union. Friday’s operation also came in the midst of tension between the U.S. and the Kremlin over fears that Russia has been planning a new invasion of Ukraine.
Referring to the FSB’s comment that the operation was carried out at the request of the U.S. government, Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows, said that this may represent a backhanded message indicating that Russia can be used to stop ransomware activity, but only under certain circumstances.
SEE: Ransomware attack: Why a small business paid the $150,000 ransom (TechRepublic)
“It’s likely that the arrests against REvil members were politically motivated, with Russia looking to use the event as leverage,” Morgan said. “It could be debated that this may relate to sanctions against Russia recently proposed in the U.S., or the developing situation on Ukraine’s border. The fact that the FSB targeted REvil, who have not been publicly active in conducting attacks since October 2021, is also significant. Chatter on Russian cybercriminal forums identified this sentiment, suggesting that REvil were ‘pawns in a big political game,’ while another user suggested that Russia made the arrests ‘on purpose’ so that the United States would ‘calm down.'”
The FSB might have also raided REvil knowing that the group was a high-priority target for the U.S. but that the arrests would have little impact on the current ransomware landscape, Morgan added. The operation may have even been staged as a warning to other ransomware gangs to be mindful of whom they target lest they invite undue attention to themselves.
The question now is whether these arrests mean that REvil is truly down for the count.
“Regarding REvil, the crime group has seen a few iterations and probably their fair share of internal attrition since inception,” said Neal Dennis, threat intel specialist at Cyware. “They’ve weathered digital attacks and take-downs but always seemed to bounce back. Why? Because digital actions are nothing without arrests of key members of the gang. That being said, REvil is not the first Russian cyber crew to be wiped out by Russian authorities and won’t be the last. In the past, when a group gets as large and prolific as this on the global stage, Russia eventually steps in.”