Russia takes down REvil ransomware operation, arrests key members

Russia’s Federal Security Service (FSB) has arrested members of the prolific REvil ransomware group at the US government’s request in a significant development that is being received with some skepticism given its timing in the middle of brewing geopolitical tensions between the two nations.

In a statement, the FSB said it had detained 14 members of the REvil gang and searched 25 addresses associated with them in an operation that resulted in the seizure of numerous assets belonging to the group. This included the equivalent of some $6.8 million in various currencies including cryptocurrency; 20 premium vehicles; computer equipment; and cryptocurrency wallets the REvil group used in its operations.

This development comes amid news of a series of cyberattacks in Ukraine today that brought down websites belonging to several government agencies, including the country’s Ministry of Education and its Ministry of Foreign Affairs. It’s unclear yet if Russia-based operatives are behind the attacks, though many have fingered them as likely suspects.

The FSB described its investigation as a complex and coordinated effort that resulted in the REvil operation being taken down and its criminal infrastructure being neutralized. The investigation and takedown were launched at the behest of US authorities, who identified REvil’s ringleader to the FSB and provided detailed information of the gang’s ransomware activities targeting foreign entities, the FSB said. US authorities have been provided full details of the operation, it added.

The REvil takedown, at least as described by Russian authorities, is significant because Russia has historically denied harboring organized ransomware groups and has taken no action against them, despite US requests. In a meeting last June, President Biden warned Russia that US critical infrastructure was off-limits for hackers and urged Russian President Vladimir Putin to act against ransomware and other cybercriminal groups working out of the country.

Attack activity from REvil, also known as Sodinokibi, surfaced in 2020 and offered malware under a ransomware-as-service model to other threat groups. The ransomware has been used in several attacks against major organizations, but none so troubling as one against JBS Foods last May that caused major disruptions in meat processing and delivery in the United States and Australia. Another incident that caused widespread concern was the June 2021 attack on Kaseya, in which ransomware was deployed on systems belonging to thousands of customers of managed services providers.

In November, the US Department of Justice announced a $10 million reward for information leading to the identification or location of key individuals in the REvil group and $5 million for information leading to the arrest and conviction of any affiliate.

Skepticism Over True Motives
Several security experts Friday welcomed the FSB’s action and described it as an overall good thing.

However, there is some skepticism of the true motives behind this action, considering it comes amid growing tensions between the US and Russia over concerns that the latter is preparing to invade Ukraine.

To read the complete article, visit Dark Reading.