‘It’s not clear whether the developers or lower-level criminals were arrested’, threat intel experts tell The Daily Swig
The crackdown operation, announced on Friday (January 14), was masterminded by the Russian Federal Security Service (FSB) using information supplied to them by US law enforcement regarding ransomware attacks on western companies.
Raids on 25 addresses in and around Moscow and St Petersburg led to the seizure of $5.5 million in cash and cryptocurrency, 20 premium cars, and the seizure of computing equipment as well as more than a dozen arrests.
The suspects were subsequently charged with “Illegal circulation of means of payment”, according to an FSB statement (Google-translated from Russian language original) on the case. This would suggest that the individuals face charges relating to money laundering and fraud rather than computer intrusion, though there is still some ambiguity surrounding the case.
“It’s not clear whether the developers or lower level criminals were arrested,” threat intel firm Group-IB told The Daily Swig.
The FSB added that as a “result of the joint actions of the FSB and the Ministry of Internal Affairs of Russia, the organized criminal community ceased to exist, the information infrastructure used for criminal purposes was neutralized”.
Although not entirely clear, indications suggest that the Russian authorities have rounded up a number of alleged underlings rather than bosses and masterminds in an extensive ransomware-as-a-service criminal conspiracy.
The FSB has posted edited video highlights of its raids.
Confirmed Victims of REvil (also known as ‘Sodinokibi’) include global money exchange Travelex, IT services firm Kaseya, and JBS, one of the world’s biggest meat suppliers.
In October 2021, US authorities managed to breach and disrupt the infrastructure of REvil.
The latest law enforcement action, potentially an even more serious blow, follows a November 2021 indictment against two men charged with deploying REvil ransomware in cyber-attacks against Kaseya and others.
This action involves arrests in Poland and Romania of named (different) suspects.
Ransomware as a class of threat remains a huge problem but REvil itself has been largely dormant since last October, long before the latest arrests.
Threat intel experts quizzed by The Daily Swig said despite this the threat might yet reappear under a different guise, so confident statements that the risk has been neutralized are, at best, premature.
“REvil went off the radar in October following constant law enforcement pressure. Since then, the group's infrastructure has remained inactive,” said Group-IB.
“However, as we’ve seen with various ransomware gangs in the past, the shutdowns do not always mean the end of malicious activities. There are many RaaS [Ransomware-as-a-Service] programs at the moment, with at least 21 new affiliate programs having been identified by Group-IB analysts in the latest Hi-Tech Crime Trends report between H2 2020 and H1 2021.”
Group-IB added: “It means that ransomware affiliates can jump from one RaaS to another. In addition, ransomware gangs tend to relaunch the operations under different names.
“We’ve seen such rebranding with DoppelPaymer, and Avaddon. Additionally, in August, we revealed the similarities between DarkSide and BlackMatter, its apparent successor.”