Russia’s Federal Security Service (FSB) has arrested members of the prolific REvil ransomware group at the US government’s request in a significant development that is being received with some skepticism given its timing in the middle of brewing geopolitical tensions between the two nations.
In a statement, the FSB said it had detained 14 members of the REvil gang and searched 25 addresses associated with them in an operation that resulted in the seizure of numerous assets belonging to the group. This included the equivalent of some $6.8 million in various currencies including cryptocurrency; 20 premium vehicles; computer equipment; and cryptocurrency wallets the REvil group used in its operations.
This development comes amid news of a series of cyberattacks in Ukraine today that brought down websites belonging to several government agencies, including the country’s Ministry of Education and its Ministry of Foreign Affairs. It’s unclear yet if Russia-based operatives are behind the attacks, though many have fingered them as likely suspects.
The FSB described its investigation as a complex and coordinated effort that resulted in the REvil operation being taken down and its criminal infrastructure being neutralized. The investigation and takedown were launched at the behest of US authorities, who identified REvil’s ringleader to the FSB and provided detailed information of the gang’s ransomware activities targeting foreign entities, the FSB said. US authorities have been provided full details of the operation, it added.
The REvil takedown, at least as described by Russian authorities, is significant because Russia has historically denied harboring organized ransomware groups and has taken no action against them, despite US requests. In a meeting last June, President Biden warned Russia that US critical infrastructure was off-limits for hackers and urged Russian President Vladimir Putin to act against ransomware and other cybercriminal groups working out of the country.
Attack activity from REvil, also known as Sodinokibi, surfaced in 2020 and offered malware under a ransomware-as-service model to other threat groups. The ransomware has been used in several attacks against major organizations, but none so troubling as one against JBS Foods last May that caused major disruptions in meat processing and delivery in the United States and Australia. Another incident that caused widespread concern was the June 2021 attack on Kaseya, in which ransomware was deployed on systems belonging to thousands of customers of managed services providers.
In November, the US Department of Justice announced a $10 million reward for information leading to the identification or location of key individuals in the REvil group and $5 million for information leading to the arrest and conviction of any affiliate.
Skepticism Over True Motives
Several security experts Friday welcomed the FSB’s action and described it as an overall good thing.
However, there is some skepticism of the true motives behind this action, considering it comes amid growing tensions between the US and Russia over concerns that the latter is preparing to invade Ukraine. Talks between the two countries to deescalate the situation in Ukraine have so far led nowhere and there’s growing concern that conflict in the region could lead to a major disruption in US-Russian relationships.
“Taking REvil down serves Russia well during talks with the United States and helps to curry favor from Western countries that may be likely to interfere in the conflict with Ukraine,” says Josh Lospinoso, CEO, and co-founder of Shift5 and founding member of US Cyber Command. “This public display also gives Russia plausible deniability [that] REvil was responsible for the JBS cyberattack, where they received $11 million in ransom.”
By taking down REvil, Russia sends the message they are taking the onslaught of cyberattacks against critical infrastructure seriously. However, ransomware groups, particularly those working directly or indirectly with Putin’s regime, have a history of bouncing back, Lospinoso says. It is quite likely that another group will emerge to replace REvil, he said.
Kevin Breen, director of cyber threat research at Immersive Labs, says the current geopolitical situation makes it hard to figure out what kind of message Russia is sending with the takedown of the REvil operation. Only time can tell if the operation signals a long-term willingness to cooperate on cybersecurity matters by Russian authorities.
“Ongoing cooperation with international authorities to disrupt and deter cyber-attacks originating inside Russian territory would send a message that the government intends to push for long-term change,” Breen says.
On the surface, at least, the FSB’s takedown of REvil signals a willingness on Russia’s part to act on information from US authorities and that of allied nations. Chatter on underground forums that Trustwave monitored last November showed at least some level of apprehension among Russia-based threat actors about law enforcement in the country tracking them down. According to the security vendor, some forum members even discussed the eventuality of their being caught and how to prepare for it, as well as any potential sentences that may follow. The REvil group itself wound down operations in the last few months because of heightened law enforcement attention on its activities.
Silas Cutler, threat analyst at Stairwell, says the REvil arrests may be an attempt by Russia to uphold an appearance of working to combat ransomware and other threat groups operating out of the country. But so far at least, the action appears to have done little to spook at least some cybercriminals.
“Members of cybercrime forums have been quick to comment, cracking jokes that the folks arrested are unlikely key members of these groups and likely low-medium level affiliates who failed to pay off the correct authorities for protection,” Cutler says. “Over the past several years, some ransomware families have been specifically designed to not impact systems with Russian language artifacts, likely to ensure their operations remain focused only on international targets, as to not violate Russian laws.”