Russian Security Takes Down REvil Ransomware Gang

At the request of U.S. authorities. Russia’s Federal Security Service (FSB) has swooped in to “liquidate” the REvil ransomware gang, it said on Friday.

According to local reports, the country’s main security agency raided locations in Leningrad, Lipetsk, Moscow and St. Petersburg, seizing assets worth more than $5.6 million (426 million rubles) in various forms, including $600,000; €500,000; various cryptocurrency amounts; and 20 luxury vehicles.

The FSB said that a total of 14 alleged cybercriminals were also caught up in the raid and have been  charged with “illegal circulation of means of payment.” The security service said that it “neutralized” the gang’s infrastructure.

The impetus for the attack was reportedly a formal request for action from U.S. authorities, “reporting about the leader of the criminal community and his involvement in encroachments on the information resources of foreign high-tech companies by introducing malicious software, encrypting information and extorting money for its decryption,” according to an FSB media statement.

It added, “As a result of the joint actions of the FSB and the Ministry of Internal Affairs of Russia, the organized criminal community ceased to exist, the information infrastructure used for criminal purposes was neutralized. Representatives of the competent U.S. authorities have been informed about the results of the operation.”

The move comes two weeks after a high-stakes phone call between Russian President Vladimir Putin and U.S. President Joe Biden, who has been calling for action against Russia-dwelling ransomware gangs for months.

REvil (aka Sodinokibi) once rose to dominance as a major fixture in the ransomware extortion racket – locking up big-fish target networks (like JBS Foods) and extracting millions in ransom payments. It made headlines last year with the sprawling zero-day supply-chain attacks on Kaseya’s customers and was linked to the infamous Colonial Pipeline cyberattack, sparking an official shout-out from Biden with a demand that Putin shut down ransomware groups nesting in his country. Shortly after that, in July, REvil’s servers mysteriously went dark and stayed that way for two months.

By late summer, the group was reborn as a ransomware-as-a-service (RaaS) player, though by all accounts it was operating at a fraction of its former power and missing key personnel. It’s main coder, UNKN (aka Unknown), for instance, reportedly left the group. It also got into trouble in the cyber-underground for cutting its RaaS affiliates out of their fair share of ransom payments.

REvil Takedown: Will it Matter?

The reported takedown may have defanged a brand-name ransomware operator, but REvil is far from what it used to be, and other groups continue to strike with impunity. LockBit 2.0, for instance, has been flourishing, as evidenced by Herjavec Group’s LockBit 2.0 profile and its long list of LockBit 2.0’s victims.

Ransomware opportunities are growing in availability, too; Group-IB recently found that 21 new RaaS affiliate programs sprang up over the past year, and the number of new double-extortion leak sites more than doubled to 28, the report said.

In other words, this action may be simply a tiny win in the much larger battle against ransomware. But REvil has become an important symbolic target in the fight – not least for its potential ties to Colonial Pipeline – and has been increasingly in government crosshairs worldwide.

In October, a multi-country undercover effort led to REvil’s servers being temporarily taken offline. In November, Europol announced the arrest of a total of seven suspected REvil/GandCrab ransomware affiliates – including a Ukrainian national charged by the United States with ransomware assaults that include the Kaseya attacks. Other countries have also snagged affiliates (random cyberattackers who rent REvil’s infrastructure), which doesn’t affect the main gang; but in October, Germany identified an alleged core REvil operator, hiding in Russia and far from the reach of extradition.

Russia, for its part, may gain some kudos for this week’s action, though researchers have long noted that the country has long provided a safe haven for ransomware masterminds, who avoid attacking Russian targets in exchange.

“In Russia, they literally have no fear of being arrested,” Jon DiMaggio, threat group researcher and chief security strategist at Analyst1, recently said, discussing the cyber-underground’s collective shrug at the news that REvil affiliates were being busted. “They make comments like, ‘protect the motherland, the motherland protects you’…They put Russian flag icons on their messages.”

Could that be changing? Only time will tell.

Password Reset: On-Demand Event: Fortify 2022 with a password-security strategy built for today’s threats. This Threatpost Security Roundtable, built for infosec professionals, centers on enterprise credential management, the new password basics and mitigating post-credential breaches. Join Darren James, with Specops Software and Roger Grimes, defense evangelist at KnowBe4 and Threatpost host Becky Bracken. Register & stream this FREE session today – sponsored by Specops Software.