Ransomware, Governance, Risk and Compliance

Russian authorities move to take down members of REvil, but what does it mean?

Russian law enforcement took down more than a dozen members of the REvil ransomware gang Jan. 14, but U.S. experts are skeptical that the moves represent a true change of heart from Moscow when it comes to tolerating cybercriminal groups operating within their borders. (Adam Berry/Getty Images)

Reports began emerging early Friday morning that Russian law enforcement had conducted raids on members of the REvil ransomware gang, arresting 14 individuals and seizing millions of dollars in currency and other assets.

“As a result of a complex of coordinated investigative and operational search activities, funds were seized at 25 addresses at the places of residence of 14 members of the organized criminal community: over 426 million rubles, including in cryptocurrency, 600 thousand US dollars, 500 thousand euros, as well as computer equipment, crypto wallets used to commit crimes, 20 premium cars purchased with money obtained from crime,” a Google-translated version of an FSB press release stated.

Many of the initial details surrounding the arrests and suspects, including videos of the raids and a list of seized assets and currencies, were communicated through the Federal Security Service (FSB), Russia’s internal security service. According to a Google translation of a (short) FSB press release, the agency took the actions following “the appeal of…U.S. authorities.”

REvil became a household name last year when the ransomware group compromised the U.S. and Australian IT networks of meat producer JBS, demanding $70 million from the company to hand over the decryption key. The company eventually paid $11 million. They’ve also been linked to the Colonial Pipeline attack that led to disruptions in gas supply up and down the East Coast of the United States, and members of the gang bragged online last year that they bring in annual revenues of over $100 million.

The two attacks were part of what prompted President Joe Biden to personally press Russian President Vladimir Putin last year to do more to rein in cyber criminal groups that operate within Russian borders. Experts in cybersecurity and international policy say that the Russian government routinely turns a blind eye to such groups so long as they don’t target Russian entities or cause too much blowback, a line the group seemingly crossed when it disrupted critical infrastructure for a geopolitical rival.

Experts skeptical of Russian crackdown on ransomware groups

The actions would seemingly represent a marked shift in the way Russia has handled their ransomware ecosystem and previous rebuffs from Putin to U.S. demands. Still, many U.S.-based cybersecurity and policy analysts expressed skepticism that the moves were genuine, and some questioned whether it was a public relations move as opposed to a good-faith effort by Russia to crack down on the problem.

Dmitri Alperovitch, the Russian-born former founder of cybersecurity firm CrowdStrike and current chairman of the Silverado Policy Accelerator, told SC Media that the operation is “significant” but comes with major caveats.

The actions come at a tense time between the three nations, as the specter of a potential Russian invasion of Ukraine have been met with threats by the Biden administration to impose widespread economic sanctions against Moscow, including cutting them off from SWIFT, the international messaging system that banks and financial institutions use to send and receive money.

“REvil is one of the top ransomware groups in the world and taking down 14 members and seizing a bunch of money is an important action, there’s no way around it. The timing, however, is very interesting and not an accident,” Alperovitch said. “The fact of the matter is that the U.S. government has passed on information to the Russians [about these actors] months ago and the fact is we’re only seeing them act on it in the midst of these serious questions around a potential Ukraine invasion, threats of various severe sanctions against the Russian economy and the counterthreat of Putin to break off diplomatic relations.”

There is still much we don’t know about what diplomatic or backchannel communications the two countries are having, but the operation is “a signal to the United States that this is the type of actions the Russians are capable of taking if they choose to, and one they won’t take if there is significant sanctions against the Russian economy for Ukraine.”

A report from Recorded Future last September outlined the “symbiotic” relationship between ransomware groups based in Russia and Russian intelligence services, who give “tacit approval” to the criminal activity for a variety of reasons, including harrying geopolitical foes like the United States and providing a proving ground for criminal or unaffiliated Russian hackers who can eventually be recruited or absorbed into Russian government operations.

However, the report also suggested that Putin is facing intense international pressure to do more to rein in these gangs and may at some point opt for a crack down, if only to keep up the pretense that the Russian government is not openly encouraging the behavior.

"Taking REvil down serves Russia well during talks with the United States and helps to curry favor from Western countries that may be likely to interfere in the conflict with Ukraine,” said Josh Lospinoso, a former NSA hacker and CEO of Shift5.

It still represents another significant setback for REvil, which has seen its operations degraded by U.S. law enforcement and intelligence agencies. Allan Liska, an analyst at Recorded Future who researches ransomware, told SC Media in an email that the group had gone quiet in the months leading up to the arrests following an FBI-led operation against the group in October. A “handful” of servers thought to belong to the group remained, but following today’s arrests those, too, have been taken down.

“There has been no activity from REvil in recent months, it is a rare case of a ransomware group who shut down and seemed to stay that way. We kept expecting a new variant tied to them to pop up, but it did not happen. Which is highly unusual,” Liska said.

It’s not clear from the release what precise roles the arrested members played in REvil’s operations, whether they were part of the core group, affiliates or part of the larger money laundering work that must be done to legitimize the ransom payments they extort.

The FSB said the arrested suspects “developed malicious software, organized the theft of funds from the bank accounts of foreign citizens and their cashing out, including by purchasing expensive goods on the internet.”

Alperovitch noted that while we don’t know the role these members played in REvil, the Russian law the members were being charged under was for illegally circulating currency, or money laundering, not hacking.

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.