Authorities in Russia have apprehended 14 alleged members of the notorious REvil ransomware gang. The Russian Federal Security Service (FSB) oversaw the crackdown operation announced on Friday (January 14), based on information provided to them by US law enforcement regarding ransomware attacks on western companies. According to an FSB statement (Google-translated from the Russian language original) on the case, the suspects were later charged with "illegal circulation of means of payment." This would imply that the individuals are facing money laundering and fraud charges rather than computer intrusion charges, though there is still some ambiguity in the case. "It's unclear whether the developers or lower-level criminals were arrested," Group-IB, a threat intelligence firm, told The Daily Swig.
The FSB went on to say that "as a result of the joint actions of the FSB and the Russian Ministry of Internal Affairs, the organized criminal community ceased.” Although details are sketchy, indications suggest that Russian authorities have apprehended a number of alleged underlings rather than bosses and masterminds in a large ransomware-as-a-service criminal conspiracy.
The FSB has made available edited video highlights of its raids.
REvil (also known as 'Sodinokibi') confirmed victims include global money exchange Travelex, IT services firm Kaseya, and JBS, one of the world's largest meat suppliers.
In October 2021, US authorities successfully breached and disrupted REvil's infrastructure.
The latest law enforcement action, which could be even more serious, comes on the heels of a November 2021 indictment of two men charged with using REvil ransomware in cyber-attacks against Kaseya and others.
This action entails the arrest of named (different) suspects in Poland and Romania.
Ransomware is still a major threat, but REvil has been largely dormant since last October, long before the latest arrests. Despite this, threat intelligence experts questioned by The Daily Swig said the threat could reappear under a different guise, so confident statements that the risk has been neutralized are, at best, premature. "REvil dropped off the radar in October as a result of constant law enforcement pressure." "The group's infrastructure has remained inactive since then," said Group-IB. "However, as we've seen with other ransomware gangs, shutdowns do not always mean the end of malicious activity." There are many RaaS [Ransomware-as-a-Service] programmes at the moment, with Group-IB analysts identifying at least 21 new affiliate programmes in the latest Hi-Tech Crime Trends report between H2 2020 and H1 2021."
Furthermore, ransomware gangs frequently relaunch their operations under new names. Such rebranding has occurred with DoppelPaymer and Avaddon. In addition, in August, we revealed the similarities between DarkSide and its apparent successor, BlackMatter."If you have any questions about the preceding topic. Please do not hesitate to contact us. Your digital partner will be Airzero Sec.
Author - Johnson Augustine
Ethical Hacker and Data Security Researcher
Founder: Airo Global Software Inc
LinkedIn Profile: www.linkedin.com/in/johnsontaugustine/