The REvil ransomware gang may have suffered a fatal blow if reports from Russia are accurate.
The Interfax news agency quoted Russia’s Federal Security Service (FSB) today saying members of the gang, also known by some researchers as Sodinikibi, have been charged, and its infrastructure “liquidated.”
“The FSB of Russia has established the full composition of the REvil criminal community and the involvement of its members in the illegal circulation of means of payment, and documentation of illegal activities has been carried out,” the intelligence service was quoted as saying.
The arrests came as the result of “the appeal of the competent U.S. authorities, who reported the leader of the criminal community and his involvement in encroachments on the information resources of foreign high-tech companies by introducing malicious software, encrypting information and extorting money for its decryption,” the FSB was quoted as saying.
The arrests come as the United Nations is preparing to start a three-year discussion on January 17th on a possible cybercrime treaty. [UPDATE: Because of COVID-19 the start of that session will be rescheduled] They also come seven months after U.S. president Joe Biden urged Russian President Vladimir Putin to crack down on cyber hackers based in his country.
Interfax said the equivalent of over US$5 million was seized at the residences of 14 members of the hacker group, as well as computer equipment, crypto wallets and 20 premium cars.
A ransomware-as-a-service operation that runs through affiliates who do the initial hacking, REvil has been under sustained international pressure since its attack last year on Kaseya. The gang’s ransomware payment site disappeared in July, only to re-emerge in September. But the following month REvil was itself hacked and forced offline this week by a multi-country operation, according to a Reuters report.
Commenting on the early report, Brett Callow, a British Columbia-based threat analyst at Emisoft, said that at this point, it’s unclear whether Russia really intends to crack down on ransomware, or whether they simply detained the members of a non-operational outfit in an attempt to alleviate international pressure. “No matter,” he added, “this is a win, as other cybercriminals will invariably be concerned about the potential consequences, especially those who’ve had previous dealings with REvil. They’ll be wondering how badly the operation was compromised, and whether their doors’ could be next to be kicked in.”
“Countries are increasingly using legal indictments and cybercrime is no longer going unpunished, particularly for groups like REvil that fly too close to the sun in their efforts to do big game hunting,” said Marc Rivero, senior security researcher at Kaspersky’s GReAT threat intelligence team. “As we saw last year with attacks on JBS and Colonial Pipeline, attacks that had real-life consequences drew the attention of the public and led to law enforcement paying extra attention to this issue.”
This appears to be a step in the right direction demonstrating global co-operation in addressing this impactful activity to businesses and critical infrastructure around the world, said Tim Conway, technical director of ICS and SCADA programs at the SANS Institute. “At a minimum, criminal groups conducting these attacks should see these arrests as a new risk in their calculus, previously there has been little cooperation at a global scale to address criminal group activities and now there is a demonstration of action. How this plays out over time and if it begins to deter criminal group activities will depend heavily on events occurring in the larger geopolitical stage.”
There is no confirmation of whether any of the self-identified leaders have been arrested, said John Shier, senior security advisor at Sophos. “The arrests by the FSB, allegedly at the request of the US government, are unusual given Russia’s stance on such crimes. The news comes at a time when political tensions between the two governments are running high and it’s easy to be cynical about the motive. At a time when Russia needs a little geopolitical goodwill, they arrest individuals associated with a defunct ransomware group. If nothing else, it serves as a warning to other criminals that operating out of Russia might not be the safe harbour they thought it was. While we can be afforded some brief time to celebrate the good news, it’s always important to remember that cybercrime isn’t just about ransomware. There are plenty of other cybercriminals, who were not impacted by these arrests, who will continue operating as usual.”
Palo Alto Networks’ Unit 42 threat intelligence team last summer called REvil “one of the world’s most notorious ransomware operators. In just the past month, it extracted a US$11 million payment from the U.S. subsidiary of the world’s largest meatpacking company based in Brazil (JDS), demanded US$5 million from a Brazilian medical diagnostics company and launched a large-scale attack on dozens, perhaps hundreds, of companies that use IT management software from Kaseya VSA.”
REvil was seen to be working with a ransomware group known as GandCrab in 2018. At the time, Unit 42 said, they were mostly focused on distributing ransomware through malvertising and exploit kits, which are malicious advertisements and malware tools that hackers use to infect victims through drive-by downloads when they visit a malicious website. Then they morphed into REvil.
MORE TO COME