The REvil ransomware gang has been a point of special focus for international law enforcement since it was linked to the 2021 attacks on Colonial Pipeline and Kaseya. The criminal group has possibly been dealt a fatal blow as Russian authorities have rounded up 14 members residing in the country, including one thought to be the perpetrator of the Colonial Pipeline incident.
The move comes at an odd time, as Russia cited the Biden administration’s request for action as its motivation even as the two countries engage in increasingly heated talk over issues in Ukraine. It is unclear if this signals a good faith effort by Russia to begin cleaning up the issue of cyber crime gangs operating freely from within its borders, or if the arrests were some sort of political strategy.
REvil ransomware threat crippled by mass arrests
The REvil ransomware group has been a leading cyber crime threat since at least mid-2020, when the hackers attacked the online accounts of a number of celebrities (including the re-election campaign of then-president Donald Trump). But it was the mid-2021 attacks on Colonial Pipeline, meat packing giant JBS and managed service provider Kaseya that brought the highest level of heat on the gang.
International law enforcement efforts disrupted the group’s servers and several arrests were made in late 2021, but the recent action by Russian authorities is the most direct blow yet to the group’s power center. It is also an unusual level of effort in culling the country’s international cyber criminals. Under president Vladimir Putin, the Russian government has long had an unofficial policy of ignoring these groups so long as they did not attack domestic targets or cause trouble with national allies. Malware from Russian groups often is programmed to ignore systems that have Cyrillic language settings so as to avoid accidental spread to people in the region.
The perpetrator of the Colonial Pipeline attack that was rounded up does not appear to be a core member of the group, something that was widely anticipated given that REvil ransomware operated on an “affiliate” model. A third party would break into target systems and make use of the REvil ransomware once inside, and then give the gang a cut of whatever they were able to make off with. This model furnished REvil with an estimated hundreds of millions of dollars during its run.
The Russian Federal Security Service (FSB) raided 25 locations in Moscow and St. Petersburg along with several other regions. Videos of the raids posted online show them seizing millions of dollars in various currencies from the hackers as well as a number of luxury cars. The group was also reportedly holding almost $600,000 in assorted cryptocurrency. Though the raids captured core members of the group, the FSB did not indicate whether or not it had rounded up the group’s leaders. All of those captured have been charged with “illegal circulation of means of payment,” a crime that carries a maximum penalty of six years in prison.
John Bambenek, Principal Threat Hunter at Netenrich, notes that the involvement of the FSB in a domestic computer crimes case is highly unusual: “Russia acting on any cybercrime report, especially ransomware, is especially rare. Unless it involves child exploitation or Chechens, cooperation with the FSB just doesn’t happen. It is doubtful that this represents a major change in Russia’s stance to criminal activity within their borders (unless they target Russian citizens) and more that their diplomatic position is untenable and they needed to sacrifice a few expendables to stall more serious geopolitical pressure. If this time in 3 months there isn’t another major arrest, its safe to assume no real change has happened with Russia’s approach.”
The US State Department had been offering a reward of up to $10 million for information leading to the capture of members of the REvil ransomware gang, an unprecedented move that was spurred by the crossing of digital lines into real-world damage. The Colonial Pipeline attack disrupted supplies of gasoline in parts of the US for nearly a week, and the JBS attack interrupted processing and shipment of meat in several international locations for a short time. REvil is also one of the groups fueling a growing trend of not just locking target systems up with ransomware, but exfiltrating sensitive information first and threatening to leak it to the public if not paid.
A possible end for REvil, but ransomware continues unabated
The Biden administration first made a formal request to Russia to track down the REvil ransomware gang during a summit in Geneva in June. This was followed up by a series of phone conversations between the two presidents over the following months, even as tensions between Russia and NATO members began to ratchet up over the issues in Ukraine.
Some cybersecurity and political analysts believe the timing of the REvil ransomware arrests is not a coincidence. Russia could be using it as a bargaining chip, with the message being that more cooperation in removing ransomware gangs can be expected if relations improve. As Kevin Breen, Director of Cyber Threat Research at Immersive Labs, observes: “The most interesting thing about these arrests is the timing. For years, Russian government policy on cybercriminals has been less than proactive to say the least – so such action needs to be evaluated in the wider geopolitical context. With Russia and the US currently at the diplomatic table, these arrests are likely part of a far wider, multi-layered, political negotiation. From a cybersecurity perspective, it is obviously a positive development as it removes bad actors with significant knowledge, skills and judgment off the board. Change can only really be achieved, however, if this is more than an isolated act of international co-operation – but a sign of something more longstanding.”
It might instead be a backhanded insult, and a warning about Russia’s level of control over its criminal element. Putting an end to REvil ransomware does not significantly impact the current cyber threat landscape, as it had already fizzled out after the international law enforcement operation in October that took out the group’s servers and infrastructure. The message from Moscow may be that it keeps tabs on these groups and could take them out any time it wants to, but does not as long as they hurt the country’s rivals and enemies.
There are also some questions about whether this is truly the final nail in the REvil ransomware coffin, given that Russia did not specify if group leaders were taken into custody. Standard operating procedure for criminal hacker groups is to work under a brand for several years and then dump it when it becomes too problematic, reforming under a new name to continue the same sort of work. If REvil’s leaders and most experienced members were not taken in, there is nothing stopping them from going back into business under a new moniker.
Whatever the case, Silas Cutler, Threat Analyst at Stairwell, notes that chatter in the dark web underground indicates that other criminals are not taking this development particularly seriously: “Members of cybercrime forums have been quick to comment, cracking jokes that the folks arrested are unlikely key members of these groups and likely low-medium level affiliates who failed to pay off the correct authorities for protection.”
In the meantime, the ransomware-as-a-service model that REvil helped to pioneer has expanded greatly, with at least 20 new groups appearing over the past two years. As Satnam Narang, Staff Research Engineer at Tenable, observes: “REvil as a name is toxic, so even if they were to re-emerge, it would be under another moniker. However, ransomware groups like REvil are largely buoyed by the affiliates responsible for attacking targets. Affiliates have no loyalty to one particular group, and many have already started migrating to participate in other ransomware-as-a-service operations. This may be the end of the REvil chapter, but it’s not the end of the book. When one ransomware group falls, another will rise up to take its place.”