What Russia’s Arrest of REvil Hackers Means for Ransomware

- Advertisement -

The senior official said Russian security services have arrested more than a dozen suspected cybercriminals, aided by information shared by the US

- Advertisement -

Russia’s Federal Security Service, or FSB, said in a statement that it also seized millions of cash, luxury cars and cryptocurrency wallets in the raids, which took place in several Russian cities. Russian news agency TASS later released a video part of the bust.

- Advertisement -

What is Reville?

Revil is a leading ransomware-as-a-service operator, providing malware to associates who then launch attacks in exchange for a ransom deduction. The group, whose members are believed to be based in Russia and Eastern European countries, has been responsible for several high-profile attacks in recent years, according to US officials, including the June 2021 ransomware attack on Meatpacker JBS SA and technology provider . Kasia Ltd. In July The group is also known by other names, such as Sodinokibi.

- Advertisement -

What is the significance of these arrests?

The FSB operation is one of the first publicly disclosed Russian law-enforcement actions against cybercriminal gangs.

The US, which has posted a reward of up to $10 million for information leading to the arrest of senior Reville figures, and international allies have also campaigned against Reville in recent months. Authorities in Poland and Romania arrested suspected members and associates during August and November, and the group’s infrastructure disappeared from the Internet in July, only to reappear briefly and then again in October. .

“It is very surprising that the Russians started playing ball in the ransomware fight,” said Alexandru Kosoi, chief security strategist at cybersecurity company Bitdefender Inc., which tracks Revil activity. In September, Bitdefender released a tool for decrypting data locked by the REvil malware.

How will this affect Revil’s ransomware attacks in the future?

Ransomware gangs often dissolve and reform under new names, especially if an affiliate attacks a prime target that attracts the attention of law-enforcement agencies. For example, the May 7, 2021 attack on Colonial Pipeline Company resulted in the dissolution of the Darkside ransomware group, shortly after which it re-emerged under the name Blackmatter. The senior US official said one of those arrested in the FSB raid was responsible for the attack on the Colonial.

Revil arose in 2019 after the ouster of the Gandcrab ransomware group.

McAfee Corp. Raj Samani, chief scientist of the FSB, said the scale of operations of the FSB could signal a more permanent end to REvil. However, analysts say it is too early to say whether this will discourage other gangs from launching attacks.

“The impact this will have on the scale of ransomware attacks going forward, will depend on whether it is a one-off, or if there are more arrests. One arrest a month for a few months, then all these people can exercise their life choices. Will begin to reevaluate,” said John Bumbaneck, chief threat hunter at cybersecurity firm Netenrich Inc.

Does this signal a change in the way cybercrime is prosecuted in Russia?

The US government has been vocal about the need for Moscow to act against hackers, who launch attacks from inside its borders, both publicly and through private, bilateral channels a senior US official described. President Joe Biden and Russian President Vladimir Putin have also discussed the issue of Russian-based cyberattacks in direct talks.

Cyber ​​security analysts have previously accused the Russian government of providing safe harbor for cybercriminals, as gangs such as Reville have incorporated code into their systems that scans for signs of victims occurring in the Commonwealth of Independent States, Such as using the Cyrillic keyboard, and avoid targeting them. Moscow has consistently denied supporting cybercriminals.

However, cyber security experts have expressed doubts that the Reville arrests represent a turning point in how Russia handles domestic hackers. Chris Morgan, a senior cyber threat intelligence analyst at cybersecurity company Digital Shadow Ltd, said chatter on cybercriminal forums suggested the move was politically motivated to ease tensions with the US government, which currently operates on cyber threats. Both crime and Russian military activity are on the rise. Its border with Ukraine. The senior US official said the FSB operation was the result of intelligence sharing between the US and Russian governments on the cyberattack, and was unrelated to the situation in Ukraine.

Mr Morgan said the operation may also have been intended as a warning to other groups.

“Reville made international news last year with high-profile and influential attacks targeting organizations like JBS and Kasia; A very public series of raids could be interpreted by some as a message to be mindful of their target,” he said.

Write James Rundle at [email protected], Katherine Stupp at [email protected] and Kim S. at [email protected] Nash


- Advertisement -

Stay on top - Get the daily news in your inbox

DMCA / Correction Notice

Recent Articles

Related Stories

Stay on top - Get the daily news in your inbox