At Request of U.S., Russia Rounds Up 14 REvil Ransomware Affiliates

The Russian government said today that 14 persons have been arrested on suspicion of working for “REvil,” a particularly aggressive ransomware outfit that has extorted hundreds of millions of dollars from victims. The Russian Federal Security Service (FSB) stated that the actions were taken in response to a request from US officials, but many experts believe the crackdown is part of a larger effort to defuse tensions over Russian President Vladimir Putin’s decision to station 100,000 troops along the country’s border with Ukraine.

The Russian Federal Security Service (FSB) announced that it had arrested 14 REvil ransomware members and searched more than two dozen addresses in Moscow, St. Petersburg, Leningrad, and Lipetsk. The FSB recovered almost $600,000 USD, 426 million rubles ($USD 5.5 million), 500,000 euros, and 20 “luxury cars” acquired using cash earned through cybercrime as part of the raids.

“The search activities were based on the request of US authorities, who reported on the criminal community’s leader and his involvement in infiltrating the information resources of foreign high-tech companies by introducing malicious software, encrypting information, and extorting money for its decryption,” the FSB said. “The results of the operation have been communicated to representatives of the US competent authorities.”

Although a report from the Russian news agency TASS cites two defendants: Roman Gennadyevich Muromsky and Andrey Sergeevich Bessonov, the FSB did not publicise the names of any of the people arrested. RIA Novosti, a Russian news agency, released video footage from several of the raids:

REvil is commonly assumed to be a reincarnation of GandCrab, a Russian-language ransomware affiliate network that boasted of stealing over $2 billion before shutting down in the summer of 2019. REvil’s “Happy Blog” would pump out news releases every week for the next two years, naming and shaming scores of new victims. According to an IBM study published in February 2021, the REvil gang made more than $120 million in 2020 alone.

All of that changed last summer, when REvil affiliates teamed up with another ransomware organisation, DarkSide, to attack Colonial Pipeline, resulting in nationwide fuel shortages and price rises. Investigators were able to hack into the REvil gang’s operations and force the group offline just months later, thanks to a multi-country law enforcement investigation.

Europol said in November 2021 that it had arrested seven REvil affiliates who had demanded more than $230 million in ransom since 2019. At the same time, US officials unveiled two indictments against two suspected REvil cybercriminals, referring to them as “REvil Affiliate #22” and “REvil Affiliate #23,” respectively.

The genuine identity of REvil’s top captains and moneymakers have clearly been known to US authorities for some time. President Biden warned Russian President Vladimir Putin last fall that he expects Russia to act if the US reveals information on specific Russians participating in ransomware operations.

So, why are we doing this now? Russia has reportedly stockpiled 100,000 troops along its southern border with Ukraine, and diplomatic efforts to alleviate the situation have failed. The Biden administration has accused Moscow of sending saboteurs into Eastern Ukraine to manufacture an incident that could provide Putin a pretext for authorising an invasion, according to the Washington Post and other media sites.

Kevin Breen, director of threat research at Immersive Labs, remarked, “The most remarkable part about these arrests is the timing.” “Russian government strategy on cybercrime has been, to put it mildly, reactive for years. These arrests are most likely part of a much larger, multi-layered political discussion between Russia and the United States, which is presently underway.”

President Biden has warned that if Russia invades Ukraine, it will face heavy consequences. However, Putin has stated that such penalties might result in the abolition of diplomatic relations between the two countries.

The arrests of REvil in Russia have been dubbed “ransomware diplomacy” by Dmitri Alperovitch, co-founder of CrowdStrike and former chief technical officer.

On Twitter, Alperovitch commented, “This is Russian ransomware diplomacy.”

On Twitter, Alperovitch commented, “This is Russian ransomware diplomacy.” “It’s a message to the US: if you don’t impose heavy penalties against us for invading Ukraine, we’ll keep working with you on ransomware investigations.”

Many government websites in Ukraine were vandalised by hackers with an ominous message informing Ukrainians that their personal data was being transferred to the Internet as the REvil arrests were revealed. The letter warned, “Be afraid and expect the worse.”

According to experts, Ukraine has reason to be concerned. Russia has long used Ukraine as a proving ground for its offensive hacking capabilities. The cyberattack on Ukraine’s power infrastructure on December 23, 2015, was blamed on state-backed Russian hackers, who left 230,000 consumers in the dark.

NotPetya, a large-scale cyberattack aimed at Ukrainian enterprises that ended up causing a very disruptive and costly global malware spread, has also been linked to Russia.

Despite the lack of a definitive attribution of these current attacks to Russia, David Salvo, deputy director of The Alliance for Securing Democracy, believes there is evidence to assume Russia’s involvement.

“These are tried-and-true Russian tactics,” says the author. In the run-up to its 2008 invasion of Georgia, Russia conducted cyber and information operations. It has long carried out large-scale cyberattacks against Ukrainian infrastructure, as well as information operations against Ukrainian forces and residents. And it’s unsurprising that it’d adopt similar tactics now, when it’s evident that Moscow is searching for any excuse to attack Ukraine once more and, in true cynical way, accuse the West.”