Russian Security Takes Down REvil Ransomware Gang

The country’s FSB said that it raided gang hideouts; seized currency, cars and personnel; and neutralized REvil’s infrastructure.

At the request of U.S. authorities. Russia’s Federal Security Service (FSB) has swooped in to “liquidate” the REvil ransomware gang, it said on Friday.

According to local reports, the country’s main security agency raided 25 locations in Leningrad, Lipetsk, Moscow and St. Petersburg, seizing assets worth more than $5.6 million (426 million rubles) in various forms, including $600,000; €500,000; various cryptocurrency amounts; and 20 luxury vehicles.

The FSB said that a total of 14 alleged cybercriminals were also caught up in the raid and have been  charged with “illegal circulation of means of payment.” The security service also said that it “neutralized” the gang’s infrastructure.

Infosec Insiders Newsletter

The impetus for the attack was reportedly a formal request for action from U.S. authorities, “reporting about the leader of the criminal community and his involvement in encroachments on the information resources of foreign high-tech companies by introducing malicious software, encrypting information and extorting money for its decryption,” according to an FSB media statement.

It added, “As a result of the joint actions of the FSB and the Ministry of Internal Affairs of Russia, the organized criminal community ceased to exist, the information infrastructure used for criminal purposes was neutralized. Representatives of the competent U.S. authorities have been informed about the results of the operation.”

The move comes two weeks after a high-stakes phone call between Russian President Vladimir Putin and U.S. President Joe Biden, who has been calling for action against Russia-dwelling ransomware gangs for months.

REvil (aka Sodinokibi) once rose to dominance as a major fixture in the ransomware extortion racket – locking up big-fish target networks (like JBS Foods) and extracting millions in ransom payments. It made headlines last year with the sprawling zero-day supply-chain attacks on Kaseya’s customers; and was linked to the infamous Colonial Pipeline cyberattack. All of that sparked an official shout-out from Biden in the summer, with a demand that Putin shut down ransomware groups nesting in his country.

Shortly after that, in July, REvil’s servers mysteriously went dark and stayed that way for two months. But by late summer, the group was reborn as a ransomware-as-a-service (RaaS) player, though by all accounts it was operating at a fraction of its former power and missing key personnel. Its main coder, UNKN (aka Unknown), for instance, reportedly left the group. It also got into trouble in the cyber-underground for cutting its RaaS affiliates out of their fair share of ransom payments.

Chris Morgan, senior cyber-threat intelligence analyst at Digital Shadows, noted that FSB’s actions sparked some chatter on the cyber-underground about REvil falling prey to political machinations.

“It’s likely that the arrests against REvil members were politically motivated, with Russia looking to use the event as leverage; it could be debated that this may relate to sanctions against Russia recently proposed in the US, or the developing situation on Ukraine’s border,” he said. “Chatter on Russian cybercriminal forums identified this sentiment.”

He said that one user suggested that REvil members are “pawns in a big political game,” while another user suggested that Russia made the arrests “on purpose” so that the United States would “calm down.”

REvil Takedown: Will it Matter?

The reported takedown may have defanged a brand-name ransomware operator, but REvil is far from what it used to be, and other groups continue to strike with impunity. LockBit 2.0, for instance, has been flourishing, as evidenced by Herjavec Group’s LockBit 2.0 profile and its long list of LockBit 2.0’s victims.

Ransomware opportunities are growing in availability, too; Group-IB recently found that 21 new RaaS affiliate programs sprang up over the past year, and the number of new double-extortion leak sites more than doubled to 28, the report said.

In other words, this action may be simply a tiny win in the much larger battle against ransomware. But REvil has become an important symbolic target in the fight – not least for its potential ties to Colonial Pipeline – and has been increasingly in government crosshairs worldwide.

In October, a multi-country undercover effort led to REvil’s servers being temporarily taken offline. In November, Europol announced the arrest of a total of seven suspected REvil/GandCrab ransomware affiliates – including a Ukrainian national charged by the United States with ransomware assaults that include the Kaseya attacks. Other countries have also snagged affiliates (random cyberattackers who rent REvil’s infrastructure), which doesn’t affect the main gang; but in October, Germany identified an alleged core REvil operator, hiding in Russia and far from the reach of extradition.

Russia, for its part, may gain some kudos for this week’s action, though researchers have long noted that the country has become a safe haven for ransomware masterminds, who avoid attacking Russian targets in exchange.

“In Russia, they literally have no fear of being arrested,” Jon DiMaggio, threat group researcher and chief security strategist at Analyst1, recently said, discussing the cyber-underground’s collective shrug at the November news that REvil affiliates were being busted. “They make comments like, ‘protect the motherland, the motherland protects you’…They put Russian flag icons on their messages.”

Could that be changing? Only time will tell, researchers said.

“Russia acting on any cybercrime report, especially ransomware, is especially rare,” John Bambenek, principal threat hunter at Netenrich, told Threatpost. “Unless it involves child exploitation or Chechens, cooperation with the FSB just doesn’t happen. It is doubtful that this represents a major change in Russia’s stance to criminal activity within their borders (unless they target Russian citizens) and more that their diplomatic position is untenable and they needed to sacrifice a few expendables to stall more serious geopolitical pressure.”

He added, “If this time in three months there isn’t another major arrest, it’s safe to assume no real change has happened with Russia’s approach.”

“It’s possible that the FSB raided REvil knowing that the group were high on the priority list for the U.S., while considering that their removal would have a small impact on the current ransomware landscape,” Digital Shadows’ Morgan added.

Password Reset: On-Demand Event: Fortify 2022 with a password-security strategy built for today’s threats. This Threatpost Security Roundtable, built for infosec professionals, centers on enterprise credential management, the new password basics and mitigating post-credential breaches. Join Darren James, with Specops Software and Roger Grimes, defense evangelist at KnowBe4 and Threatpost host Becky Bracken. Register & stream this FREE session today – sponsored by Specops Software.

Suggested articles