Russian Security Takes Down REvil Ransomware Gang

7 months ago

The country’s FSB said that it raided pack hideouts; seized currency, cars and personnel; and neutralized REvil’s infrastructure.

Russia’s Federal Security Service (FSB) has swooped successful to “liquidate” the REvil ransomware gang, it said connected Friday – astatine the petition of U.S. authorities.

The country’s main information bureau raided locations successful Leningrad, Lipetsk Moscow and St. Petersburg, according to local reports, seizing assets worthy much than $5.6 cardinal (426 cardinal rubles) successful assorted forms, including $600,000; €500,000; assorted cryptocurrency amounts; and 20 luxury vehicles.

A full of 14 alleged cybercriminals were besides caught up successful the raid, according to the FSB, who are charged with “illegal circulation of means of payment”; and, the information work said that it “neutralized” the gang’s infrastructure.

The impetus for the onslaught was reportedly a ceremonial petition for enactment from U.S. authorities, “reporting astir the person of the transgression assemblage and his engagement successful encroachments connected the accusation resources of overseas high-tech companies by introducing malicious software, encrypting accusation and extorting wealth for its decryption,” according to an FSB media statement.

It added, “As a effect of the associated actions of the FSB and the Ministry of Internal Affairs of Russia, the organized transgression assemblage ceased to exist, the accusation infrastructure utilized for transgression purposes was neutralized. Representatives of the competent U.S. authorities person been informed astir the results of the operation.”

The determination comes 2 weeks aft a high-stakes telephone call betwixt Russian President Vladimir Putin and U.S. President Joe Biden, who has been calling for enactment against Russia-dwelling ransomware gangs for months.

REvil (aka Sodinokibi) erstwhile roseate to dominance arsenic a large fixture successful the ransomware extortion racket – locking up big-fish people networks (like JBS Foods) and extracting millions successful ransom payments. It made headlines past twelvemonth with the sprawling zero-day supply-chain attacks connected Kaseya’s customers, and was linked to the infamous Colonial Pipeline cyberattack, sparking an authoritative shout-out from Biden with a request that Putin unopen down ransomware groups nesting successful his country. Shortly aft that, successful July, REvil’s servers mysteriously went dark and stayed that mode for 2 months.

By precocious summer, the radical was reborn arsenic a ransomware-as-a-service (RaaS) player, though by each accounts it was operating astatine a fraction of its erstwhile powerfulness and missing cardinal personnel. It’s main coder, UNKN (aka Unknown), for instance, reportedly near the group. It besides got into occupation successful the cyber-underground for cutting its RaaS affiliates out of their just share of ransom payments.

REvil Takedown: Will it Matter?

The reported takedown whitethorn person defanged a brand-name ransomware operator, but REvil is acold from what it utilized to be, and different groups proceed to onslaught with impunity. LockBit 2.0 for instance has been flourishing, arsenic evidenced by Herjavec Group’s LockBit 2.0 illustration and its agelong database of LockBit 2.0’s victims.

Ransomware opportunities are increasing successful availability, too; Group-IB recently found that 21 caller RaaS affiliate programs sprang up implicit the past year, and the fig of caller double-extortion leak sites much than doubled to 28, the study said.

In different words, this enactment whitethorn beryllium simply a tiny triumph successful the overmuch larger conflict against ransomware. But REvil has go an important symbolic people successful the combat – not slightest for its imaginable ties to Colonial Pipeline — and has been progressively successful authorities crosshairs worldwide.

In October, a multi-country undercover effort led to REvil’s servers being temporarily taken offline. In November, Europol announced the arrest of a full of 7 suspected REvil/GandCrab ransomware affiliates – including a Ukrainian nationalist charged by the United States with ransomware assaults that see the Kaseya attacks. Other countries person besides snagged affiliates (random hackers who rent REvil’s infrastructure), which doesn’t impact the main gang; but successful October, Germany identified an alleged halfway REvil operator, hiding successful Russia and acold from the scope of extradition.

Russia, for its part, whitethorn summation immoderate kudos for this week’s action, though researchers person agelong noted that the state has agelong provided a harmless haven for ransomware masterminds, who debar attacking Russian targets successful exchange.

“In Russia, they virtually person nary fearfulness of being arrested,” Jon DiMaggio, menace radical researcher and main information strategist astatine Analyst1, precocious said, discussing the cyber-underground’s corporate motion astatine the quality that REvil affiliates were being busted. “They marque comments like, ‘protect the motherland, the motherland protects you’…They enactment Russian emblem icons connected their messages.”

Could that beryllium changing? Only clip volition tell.

Password Reset: On-Demand Event: Fortify 2022 with a password-security strategy built for today’s threats. This Threatpost Security Roundtable, built for infosec professionals, centers connected endeavor credential management, the new password basics and mitigating post-credential breaches. Join Darren James, with Specops Software and Roger Grimes, defence evangelist astatine KnowBe4 and Threatpost big Becky Bracken. Register & watercourse this FREE league today – sponsored by Specops Software.