Cyber criminals are becoming anxious about being tracked down by law enforcement agencies following the high-profile arrests of suspected members of one of the most notorious ransomware groups. 

On January 14, Russia’s Federal Security Service (FSB) announced it had detained members of the REvil ransomware gang operating from several regions of the country and dismantled the group’s operations. Previous action by Europol resulted in the arrest of a suspected REvil affiliate near the Polish and Ukranian border. 

According to analysis of chatter on Dark Web forums by cybersecurity researchers at Trustwave SpiderLabs, the recent arrests, particularly those by Russia, appear to have scared cyber criminals, some of whom appear to be worried that they might be next. 

SEE: A winning strategy for cybersecurity (ZDNet special report)

Ransomware is one of the biggest cybersecurity issues facing organisations and the wider world today, with a string of incidents demonstrating how such attacks can impact utilities, healthcare, food production and other vital services that people need everyday, while cyber criminals can walk away with huge sums of money when victims give in and pay the ransoms required for a decryption key.   

There’s a consensus among cybersecurity experts that many of the major ransomware operations work out of Russia, with the authorities willing to turn a blind eye towards attacks targeting the West. But following arrests throughout the region, some cyber criminals are wondering if the risk is worth it. 

“This is a big change. I have no desire to go to jail,” wrote one forum member. 

“In fact, one thing is clear, those who expect that the state would protect them will be greatly disappointed,” said another. 

There’s even concern that administrators of the dark web communities – who would have details about their users – could be coerced into working for law enforcement following arrest. 

Such is the paranoia among some forum members and ransomware affiliates that they suggest moving operations to a different jurisdiction, although this is unlikely to be a realistic option for many. 

“Those that are seasoned in cybercrime understand that by moving outside of Russia, they’ll be taking on an even greater risk of being arrested by international law enforcement agencies. These agencies that are keeping tabs on cyber criminals will be watching for such potential moves,” Ziv Mador, VP security research at Trustwave SpiderLabs, told ZDNet. 

“Also, there is a large talent pool in Russia already, so more members and affiliates can always be recruited. Recruiting can become more difficult in other geographies. There is a level of trust that is required, and that trust diminishes the further away a prospective member is from ‘home base’,” he added. 

SEE: My stolen credit card details were used 4,500 miles away. I tried to find out how it happened 

However, while some users are anxious following the arrests, some are less sympathetic, blaming a string of high-profile attacks against major targets in the United States for the unwelcome attention.

“It was necessary to think before climbing and encrypting multi-billion-dollar companies, schools, states. With whom did they dare to compete?” one user wrote. 

“They climbed everywhere indiscriminately without understanding which country [they were attacking],” said another. 

“Some cyber criminals may feel like REvil spoiled the ability to earn a living by attracting too much law enforcement attention and political powers. This kind of activity may have triggered a lack of sympathy by forum members,” said Mador.  

MORE ON CYBERSECURITY