Cybersecurity firm Trustwave discovered that the January 14 Russian FSB takedown of the REvil ransomware gang caused fear and anxiety in the cybercrime underground. After analyzing dark web chatter on underground forums, Trustwave discovered that the cybercriminals believed they could end up in prison and considered relocating.
The Russian domestic security service said the operation was at the request of US authorities to address ransomware attacks originating from the country.
FSB says it seized 426 million rubles (approx. $5.6 million), $600,000 in US dollars, Є500,000 in Euros, and 20 luxury cars after detaining 14 members of the REvil ransomware gang.
Dark web chatter confirms anxiety over potential Russian FSB cooperation with the US
The potential cooperation between the Russian government and the United States increased anxiety in the underground circles. Trustwave SpiderLabs quoted one underground hacking forum member worrying about serving a prison sentence.
“This is a big change,” he said. “I have no desire to go to jail.”
According to Trustwave SpiderLabs, members of the underground forums felt that their homeland was no longer a safe haven and feared arrests. Some suggested relocating their ransomware operations to India, China, the Middle East, or Israel.
These concerns confirmed that ransomware gangs perceived Russia as a refuge for their criminal activities. However, leaving Russia only increased their chances of arrest and extradition to the United States.
Another member warned others that the FBI was targeting ransomware groups through money exchangers in Moscow and St. Petersburg, “All who exchange in Moscow or St. Petersburg stop, the FBI in Moscow. Through the money exchangers, the hardworking ransomware are covered (captured).”
They feared that money exchangers had collaborated with law enforcement and provided information during interrogations.
One participant of the dark web chatter raised suspicions of secret negotiations between the Russian FSB and the FBI to combat ransomware. Another warned that ransomware operators who depend on the state for protection would be shocked.
“In fact, one thing is clear, those who expect that the state would protect them will be greatly disappointed,” he said.
The dark web chatter also indicated that underground hacking group members were apprehensive of betrayal by forum administrators. They suspected that one administrator was working with law enforcement authorities and was complicit in the arrests.
He promised to share a conversation he had with a member who “disappeared without a trace, very likely thanks to a person under the nickname RED \ KAJIT, he is the administrator of the ramp forum, who works for law enforcement against ordinary hard workers.”
Forum administrators have access to membership information and could share it with law enforcement agencies as part of a plea bargain or for incentives like financial rewards.
Trustware analyzed one member’s conversation that predicted in November 2021 that arrests would take place within two months.
However, some believed they could avoid arrest and continue their ransomware activities. One member offered several solutions to evade law enforcement should Russian FSB cooperate with US authorities. He recommended using Tor for anonymity, storing stolen digital assets on different computers, and using encryption.
Additionally, he advised cybercriminals to avoid unnecessary dark web chatter, adding that “it is now dangerous to write anything at all, anywhere.”
He also warned that CCTV cameras were everywhere in Moscow and St. Petersburg, a huge security risk for cybercriminals involved in the physical withdrawal of extorted money.
Other participants in the dark web chatter blamed the REvil ransomware group for attracting attention by attacking multi-billion organizations in powerful countries like the United States and bragging about it.
One member pointed out that “being a superstar in our business is a very bad idea.”
“It was necessary to think before climbing and encrypting multi-billion-dollar companies, schools, states,” he said. “With whom did they dare to compete?”
Russian FSB action against REvil ransomware is likely a diversion from Ukraine
Trustwave questioned the commitment of the Russian FSB in combating the ransomware threat. And a member of an underground forum expressed a similar sentiment on the dark web chatter, suggesting that the operation was a show intended for international consumption. REvil ransomware gang was considered low-hanging fruit and a lame duck in cybercrime because of its voluntary decisions to scale down operations and successful law enforcement actions.
Potentially, the REvil arrests could assist the Russian FSB in diverting attention from the simmering crisis at the Ukrainian border, and avoid more sanctions from the United States. Consequently, many Western experts remain skeptical that the arrests would eventually lead to prosecution or open a new chapter of cooperation between the Russian FSB and international security services.