Fallout from REvil arrests shakes up ransomware landscape


While the arrests of documented REvil users may have lower ransomware exercise, infosec analysts say the impression will likely be quick-lived.

Last month, the Russian Federal Security Support (FSB) announced it had “stopped” REvil functions, arrested more than a dozen customers and confiscated thousands and thousands in dollars. It is unclear how much these arrests impacted REvil operations the ransomware as a provider (RaaS) team was also knocked offline in October following a described cyber offensive operation led by the U.S. Cyber Command.

But infosec analysts believe the REvil arrests have experienced an affect. With a person of the most infamous gangs — accountable for high-profile attacks like the one in opposition to JBS Food items that resulted in an $11 million ransom — seemingly out of fee and underneath scrutiny from Russian regulation enforcement, the ransomware landscape may possibly be altered, with the dread of possible jail time trickling down to other groups.

Prior to the arrests, REvil acquired a reputation for its ego the operators and their affiliate marketers ended up unafraid to strike a vast range of targets, from issue-of-sale terminals to managed service providers and a international currency trade. It seemed no focus on was out of achieve even stars like Woman Gaga and Madonna were affected soon after the Russia-centered ransomware team strike an amusement legislation organization. As highlighted in the report “A Record of REvil” by Jon DiMaggio, main security strategist at Analyst1, 1 of the group’s “concentrating on alternatives” even associated supply chain companies.

That moi is what DiMaggio attributed with REvil’s downfall. In the report, he famous that if it had “focused smaller, non-vital companies,” possibly its operations would nonetheless be intact.

Quite a few aspects contributed to that ego, like timing, DiMaggio advised SearchSecurity.

Ransomware assaults against enterprises, he stated, were not as popular till 2015 or 2016. REvil filled a hole left guiding by GandCrab and received awareness in its early attacks from the prison local community, Russian community forums and Telegram channels. It was one particular of the 1st groups to appear approachable, and they would reply, whether it was to a safety researcher or a different legal.

“They just arrived in with this kind of momentum,” DiMaggio stated. “So a lot of men and women had been drawn to them due to the fact they had been undertaking these major assaults, but then coming out and chatting about it, which up to that stage truly hadn’t been performed. It practically gave them this celebrity status.”

Russian govt intentions

Numerous of the most prolific ransomware gangs have been tied to Russian-talking menace actors around the yrs, and some analysts imagine the Russian government’s crackdown on REvil may not be completely real. Trustwave safety researcher Ziv Mador published a site submit past month that examined the fallout on dark internet community forums. A single discussion board member broached the idea of the operation staying “faked or was only a present for global use.”

“One particular feasible rationale for the FSB to bogus or not adhere to through on these arrests could be that it really is just striving to placate the U.S. and steer clear of more economic sanctions,” Mador wrote in the site.

Even though DiMaggio reported safety from the Russian government did not guide to REvil’s ego, it may perhaps have authorized the group to experience safe to work, even if the group did not recognize it on their own.

“Not acquiring a concern of remaining arrested authorized them to be approachable and allowed them to experience protected to speak and to do interviews with scientists, so I believe that is what produced them truly feel risk-free to do all this stuff, which then led to their widescale recognition,” DiMaggio mentioned.

In his report, DiMaggio examined discussions held on darkish world wide web boards around the earlier numerous several years and uncovered that “ransomware criminals considered they had been untouchable.” The most frequent issue he observed was getting arrested outside the house of Russia.

Likewise, Ryan Olson, vice president of danger intelligence for Palo Alto Networks’ Device 42 team, stated if groups have been running in a nation without the need of arrests, it gives the impression that the governing administration would not hand them about.

“You possibly come to feel additional protected residing in that place, where by you don’t have to fret about extradition or cooperation from regulation enforcement,” Olson explained.

Coveware CEO Invoice Siegel explained Russian legislation enforcement potentially coddling ransomware gangs is nothing new. There is a very long background of these routines becoming “condition dismissed” or “condition condoned,” he mentioned in an electronic mail to SearchSecurity.

A Coveware quarterly report referred to the arrests as “an unprecedented motion for the Russian federal government to acquire.”

As for the cybercriminal underworld, DiMaggio said, the largest accusation against REvil concerning law enforcement was that 1 of the key operators in the group was cooperating with U.S. authorities soon after currently being arrested.

Just lately, a feud broke out between LockBit and BlackMatter that appeared to be tied to the REvil arrests and the breakdown of trust they represented. The feud stemmed from accusations of REvil associates currently being undercover legislation enforcement brokers or doing work with law enforcement immediately.

Azim Khodjibaev, senior intelligence analyst at Cisco Talos, advised SearchSecurity the remaining allegation designed by LockBit was that the REvil bust was a main political program between Russia and the U.S. to cooperate much more on ransomware disruption. It was allegedly a bone thrown to President Joe Biden by Russian President Vladimir Putin, he said, in purchase to clearly show or trace at the possibility of cooperation.

Olson cited the sorts of assaults he noticed final 12 months against significant infrastructures, particularly versus the Colonial Pipeline Company, that may possibly have shifted from a regulation enforcement focus to a broader authorities response.

“That changed the game a bit around who needed to speak to who and who was essentially engaged in the fight as nicely,” he mentioned.

Effect on ransomware landscape

In spite of remaining inquiries all over governing administration motivations, analysts and vendors concur that the described REvil arrests will have a stage of impression.

Pursuing the arrests, Hold Safety observed the resignation of essential members from various ransomware gangs, including TrickBot and Conti. In a tweet on Friday, the Milwaukee-dependent stability consulting business mentioned its dark web sources documented that “Trickbot gang dropped its essential customers about the earlier 24 hours. Seems to be like Russian federal government steps are driving ransomware gangs to close their doors.”

Alex Holden, main information and facts security officer at Maintain Protection, advised SearchSecurity that many members stated going on to other assignments, but a bulk of them just claimed, “I am accomplished.”

“Conti team customers have been mentioning that if the Russian government at any time starts imposing the law and starts arresting the ransomware groups, they would exit the similar organization working day. That appears to be to be occurring currently, and it really is totally been brewing about the past months,” Holden reported.

Mador also documented write-up-arrest dim web chatter and uncovered “a fantastic offer of panic and consternation” from discussion board contributors “with regards to the FSB arrests and how those actions will impression them in the long term.”

“From the conversations we’ve noticed, it is distinct that these men and women no for a longer period consider Russia is a safe and sound harbor for their pursuits,” Mador wrote in the website submit. “This degree of stress and fear expressed by Dark Net discussion board associates is one thing we have not found just before.”

Screenshot of Russian dark web forum post following REvil arrests
Trustwave observed fear from ransomware gangs on darkish internet community forums following REvil arrests.

Mador concluded that the extended-expression effect stays to be found.

“There is a robust opportunity that the FSB’s activity has a prolonged-phrase impact on cybercrime, but only if the Russian authorities follows by means of and prosecutes these arrested to the complete extent of their law. Russian prisons are no stroll in the park, and cybercriminals know that,” he wrote.

Olson also believes it may be far too early to establish the real effects. The Device 42 team did observe a drop-off in ransomware exercise in January, compared with December and November, but practically nothing sizeable.

“Arresting one particular team itself, taking individuals players off the board would not have a major affect as there are so lots of individuals launching ransomware assaults, primarily with the ransomware-as-a-service model,” Olson said.

Considering the fact that ransomware affiliates are individual from the operators that develop the malware and perform encryption, Olson mentioned, they can merely move to a new RaaS operation if a single or two teams are shut down.

Although the arrests of a single group’s gamers could not have a enormous effects on the total ransomware landscape, Siegel stated any action that boosts the perceived chance of arrest is fantastic.

“Even if these arrests are for exhibit, or the actors really don’t get our definition of ‘justice,’ you cannot deny that these actions ended up disruptive and elevate the risk profile,” he explained. “That is a good.”

The Coveware report established that the arrests lessened the “addressable current market of cyber criminals willing and ready to execute these assaults, as not all of them are eager to hazard jail time or western extradition for the cash they earn.”

Emsisoft analyst Brett Callow mentioned law enforcement motion will have ransomware gangs concerned.

“They don’t work in a vacuum and [they] share means and personnel with other operations. So, when one gang gets compromised and its customers arrested, others will invariably wonder no matter if they might be impacted far too,” Callow claimed in an email to SearchSecurity.

But the shorter-time period progress may possibly not final extensive. If not for the new escalation at the Ukraine-Russia border, DiMaggio thinks the impression built by the REvil arrests would have been larger. Now, he thinks things may get worse.

“I consider that not only are they not heading to be concerned, I really feel like they’re heading to be inspired. They’ll be inspired to do attacks like the Colonial Pipeline or to hit economical establishments,” he claimed. “It can be actually the initial time in my career I will say I am genuinely worried as to what’s coming.”