Cybersecurity

Russia’s REvil Takedown Sets Stage for Several Scenarios

Russian authorities on Friday reported that they shut down the REvil ransomware operations and arrested a dozen or more gang members.

The Federal Security Service (FSB) of the Russian Federation said it shut down the REvil ransomware gang after U.S. authorities reported on the leader.

Russian police conducted raids at 25 addresses owned by 14 suspected gang members located across Moscow, St. Petersburg, Leningrad, and the Lipetsk regions, according to the Russian security agency’s press release.

Authorities reportedly seized more than 426 million Russian rubles, plus US$600,000 and €500,000 in cash, along with cryptocurrency wallets, computers, and 20 expensive cars.

The FSB is Russia’s internal intelligence agency. It conducted its operation at the request of US authorities, which were notified of their results, according to the press release.

The REvil group is a well-known ransomware gang that has caused havoc for many organizations around the world, noted Joseph Carson, chief security scientist and Advisory CISO at Thycotic. So, it is not surprising that they would be a target.

“Many hackers around the world are using their skills for good, and this includes government hackers who work vigorously to defend society from cybercrime. So, targeting REvil will likely be a statement that governments will work together to stop cybercriminals at the source,” he told TechNewsWorld.

Capture and Seize Details

The group had “ceased to exist,” according to FSB statements. The agency noted that it acted after receiving information about the REvil group from the U.S.

The raid follows repeated requests from U.S. authorities over the summer to take action against the Russian underground cybercrime ecosystem. Presumably in response, the REvil gang shut down its activities in July but resumed operations in September before U.S. authorities seized some of their dark web servers.

Besides the reported arrests in Russia, seven other REvil gang members were also arrested throughout 2021. Those arrests followed operations coordinated by the FBI and Europol.

“The detained members were charged with committing crimes under Part 2 of Art. 187 ‘Illegal circulation of means of payment’ of the Criminal Code of Russia,” the FSB said in its press release.

The REvil gang committed two major legal infractions, according to the TASS Russian News Agency. The cybercriminals developed malicious software and organized the theft of money from the bank accounts of foreign citizens.

Few IDs Released

Russian officials did not initially identify any of the detained suspects. Later, however, Russian news outlet RBC named one suspect as Roman Muromsky, and TASS identified a second member as Andrei Bessonov.

The Russian state-owned domestic news agency RIA Novosti released video footage from some of the raids.


Editor’s Note Aug. 23, 2022: The video is no longer online and has been removed from this article.


It is not likely that the suspects will face charges in the U.S. The Russian government does not have a legal mechanism to extradite its own citizens, suggested some reports.

Russian officials informed U.S. representatives about the results of the operation, according to the FSB. The agency described the event as a rare collaboration with U.S. authorities.

Russia acting on any cybercrime report, especially ransomware, is especially rare, observed John Bambenek, principal threat hunter at Netenrich. Unless it involves child exploitation or Chechens, cooperation with the FSB just does not happen.

“It is doubtful that this represents a major change in Russia’s stance to criminal activity within their borders … If this time in three months there is not another major arrest, it is safe to assume no real change has happened with Russia’s approach,” he told TechNewsWorld.

“Nevertheless, it is a big arrest and will have a significant short-term impact to reduce ransomware,” he added.

Part of a Pattern

Traditional ransomware techniques did not need to be advanced to be effective, according to Adam Gavish, co-founder and CEO at DoControl. It is a simple rinse and repeat process.

“The human element remains to be a major issue. People make mistakes. They can easily become subject to a social engineering campaign, increasing the likelihood of the employee clicking on a phishing email. Their endpoint becomes compromised, the malicious code replicates and spreads through the IT estate. Simple,” he told TechNewsWorld in explaining why ransomware attacks are successful.

With the surge of cloud adoption, attackers have put SaaS applications in the crosshairs, he added. Weaponizing the many vulnerabilities that exist with SaaS applications is the next phase of advanced Ransomware attacks. Attackers recognize that a company’s crown jewels — its data — are stored, manipulated, and shared across these critical cloud-hosted business applications.

“Just like with the cloud, securing SaaS is a shared responsibility between the provider and the consumer of the service,” Gavish added.

Modern businesses have an obligation to better protect the files and data within SaaS through a defense-in-depth approach, he suggested. If an endpoint becomes compromised, there needs to be a way to prevent malicious files from being accessed by employees or external collaborators.

International Overtones

The specific dialogue between the United States and Russia on this operation remains unclear. But the FSB’s confirmation could represent a backhanded message highlighting that Russian authorities can be used to stop ransomware activity, but only under certain circumstances, suggested Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows.

“The law enforcement operation coincided with several defacement attacks that were conducted against Ukrainian government websites. These have not been publicly attributed with confidence yet, but are widely suspected as having been conducted by Russian-aligned threat actors,” he told TechNewsWorld.

It is likely that the arrests against REvil members were politically motivated, with Russia looking to use the event as leverage, noted Morgan. This may relate to sanctions against Russia recently proposed in the U.S., or the developing situation on Ukraine’s border, he offered.

Ulterior Motives

The FSB targeted REvil, who has not been publicly active in conducting attacks since October 2021, is also significant, continued Morgan. Chatter on Russian cybercriminal forums identified this sentiment, suggesting that REvil were “pawns in a big political game,” he said.

Another forum participant suggested that Russia deliberately made the arrests so the United States would calm down, Morgan added. It is possible that the FSB raided REvil knowing that the group was high on the priority list for the U.S., while considering that their removal would have a small impact on the current ransomware landscape.

In discussing the cybercriminal forum chatter, Morgan reiterated that these arrests could also have served a secondary purpose. For instance, they could be a warning to other ransomware groups.

“REvil made international news last year in its targeting of organizations such as JBS and Kaseya, which were high profile and impactful attacks. A very public series of raids could be interpreted by some as a message to be mindful of their targeting,” he said.

Jack M. Germain

Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open-source technologies. He is an esteemed reviewer of Linux distros and other open-source software. In addition, Jack extensively covers business technology and privacy issues, as well as developments in e-commerce and consumer electronics. Email Jack.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Jack M. Germain
More in Cybersecurity

Technewsworld Channels