REvil arrests trigger uncertainty
The arrests send shock waves among ransomware bad actors in cybercrime forums
The notorious REvil group, which has been connected to a number of attention-grabbing attacks in recent months, met its endgame earlier this month following the surprise high-profile arrests of 14 suspected members associated with the syndicate. Predictably, cyber criminals are becoming anxious about being tracked down by law enforcement agencies.
One forum member put it: "This is a big change. I have no desire to go to jail." The dismantling of its criminal infrastructure has also fueled speculation about forum administrators working secretly with law enforcement and aroused suspicions that the gang may have hit entities within Russia, prompting the takedown.
Such is the paranoia among some forum members and ransomware affiliates that they have suggested shifting operations to India, China, the Middle-East, or even Israel. One thing is clear. As another forum member commented, "Being a superstar in our business is a very bad idea."
That's not all. In a further sign that Russia is beginning to take cybercrime seriously, the Federal Security Service (FSB) arrested four individuals, including Andrey Sergeevich Novak, the alleged leader of the Infraud Organization, a hacker group that caused losses of more than $560 million during its seven years of activity.
While the arrests may have defanged the operators, the actions have also sparked chatter on the cyber-underground about REvil falling prey to political machinations amid brewing tensions between Russia and the U.S.
Russia, for its part, painted the arrests as a "joint operation" and an instance of cooperation on matters of cybersecurity, adding it "may be one of the few areas where, despite very problematic relations with the U.S., our cooperation has intensified."
Attack activity from REvil — short for Ransomware Evil (alluding to the Resident Evil franchise) — surfaced in 2019 and offered malware under a ransomware-as-service model to other threat groups. It rose to dominance as a major fixture in the threat landscape, locking up target networks — notably the sprawling zero-day supply-chain attacks on Kaseya's customers — and extracting millions in ransom payments.
Last year, it emerged as one of the most aggressive and successful Russia-based cybercrime groups, drawing increased law enforcement scrutiny from governments across the world as well as the U.S. Cyber Command, which helped to shut down many of the gang's digital operations in October 2021.