Security news that informs and inspires

Russia Arrests Alleged REvil Ransomware Members at U.S. Urging

The Russian FSB state security service has arrested 14 alleged members of the REvil ransomware group in a coordinated series of raids in several locations Friday, an operation that was apparently done after persistent lobbying and requests from U.S. officials in recent months.

The FSB said the raids were done after "the appeal of the competent US authorities, who reported on the leader of the criminal community and his involvement in encroachments on the information resources of foreign high-tech companies by introducing malicious software, encrypting information and extorting money for its decryption." The service did not release the names of any of the people who were arrested, but said that they had been charged with violations of the country’s money laundering statutes.

As part of the operation, authorities seized more than $600,000, €500,000, cryptocurrency, 20 vehicles, and computer equipment. The money seizures and the charges of money laundering, rather than computer-related crimes, may indicate that the people arrested were affiliates involved in the financial side of the business only, rather than the core developers of the ransomware or the people controlling the operation itself. REvil, like many other ransomware operations, rents its ransomware and infrastructure to affiliates as part of a ransomware-as-a-service model that’s designed to reduce risk for the operators while maximizing the potential profits.

"As a result of the joint actions of the FSB and the Russian Interior Ministry, the organized criminal community ceased to exist, the information infrastructure used for criminal purposes was neutralized. Representatives of the competent US authorities were informed about the results of the operation," the FSB said in a statement.

The arrests come at a time of heightened political tensions, with potential economic sanctions against Russia under discussion in the U.S., and they also occurred on the same day that a number of Ukrainian government websites were defaced. The operation against REvil, a group that has not been active for several months, could be more of a symbolic move than anything else, researchers said.

“I think it’s a combination of all of those factors. There was quite a few negotiations with the US and Russia which might not have gone as well as they would have hoped. It almost makes me think it was done intentionally to detract from the defacement attacks. It was a long time since Putin and Biden had those conversations last summer,” said Chris Morgan, a senior cyber threat intelligence analyst at Digital Shadows.

“I almost wonder if they went after REvil because it’s almost throwing a patsy under the bus because they’re not active at this time. They’re a big player, but not active. It could be a message to other groups that they need to be more careful with their targeting.”

The operation is a landmark in the years-long effort by law enforcement, diplomats, and other western officials to get Russian authorities to make a meaningful move against the many ransomware gangs that operate inside the country’s borders. Those efforts have largely failed until now for a number of reasons, including the fact that those ransomware groups scrupulously avoid attacking organizations in Russia and mainly target companies in the west.

“They’re not doing it out of the goodness of their hearts. Russia makes moves ahead of time for leverage later on.”

REvil is responsible for some of the larger and more disruptive ransomware attacks of the last few years, including the attack against software maker Kaseya last year and the intrusion at food giant JBS. Both attacks drew a lot of attention to the group, and the State Department offered a reward of $10 million for information leading to the arrest of REvil’s leaders. In November, the Justice Department indicted two men in connection with REvil operations, a Russian and a Ukrainian, and seized more than $6 million in funds allegedly derived from ransom payments.

“I think this news kind of shattered our expectations because the Russians had been unwilling or unable to do this in the past,” Morgan said. “They’re not doing it out of the goodness of their hearts. Russia makes moves ahead of time for leverage later on.”

Allan Liska, intelligence analyst at Recorded Future, said that the crackdown sends a clear message to other ransomware actors that no group is above the law in Russia. After REvil’s attacks on Kaseya and JBS, as well as ensuing charges and arrests by the Department of Justice (DoJ) of a Ukrainian citizen and Russian national linked to the group in November, REvil was considered a “hot potato,” said Liska.

“Obviously this is good news, but I think that timing has a lot to do with it,” said Liska. “One thing that jumps out to me is that the … operators were spooked after the (November) FBI operation, we haven’t seen any recent activity associated with them. There’s no loss for the FSB here and they get to look good on the world stage.”

While rare, the FSB has previously announced various dismantling operations against cybercrime groups within Russia - including one against a credit card fraud ring in March 2020 that yielded 25 arrests. However, these operations have infrequently centered around ransomware groups.

Unlike other cybercriminals in Russia, “ransomware actors (in Russia) have specifically avoided Russian targets,” said Liska. “We’ve seen recent ransomware attacks that accidentally hit Russian targets, and they immediately give them the decryption keys.”

The broader cybercriminal underground, particularly these ransomware groups, will likely be very concerned with the potential implications of the FSB’s announcement, said Brett Callow, threat analyst with Emsisoft - especially those who acted as affiliates of REvil in the past or have done business with them in other ways.

“No matter Russia’s intentions here, this was a positive step,” said Callow. “This will have a broader impact beyond just REvil. The risk-to-reward ratio for ransomware now has a lot more risk in it than it used to, and that is going to cause some people to think twice - especially those who may have already made millions of dollars.”