ctpaep - stock.adobe.com
The apparent downfall of REvil, one of the most prolific and dangerous ransomware gangs of recent years, following a series of raids by Russian authorities has naturally been welcomed in the security community. But this sense of relief should be tempered with the almost certain knowledge that the takedown does not mean the ransomware threat is any closer to passing, or that the public narrative about the end of REvil is entirely as it seems.
What we can say for sure is that the killing blow against REvil was struck on Friday 14 January 2022, when agents of Russia’s FSB state security service, working alongside the Investigations Department of Russia’s Ministry of Internal Affairs, conducted raids in Moscow, St Petersburg, and Lipetsk – a small city about 420 kilometres south of Moscow.
The FSB said the basis for the activities was the “appeal of the competent US authorities” which had shared with it details of REvil’s leader and his involvement in ransomware attacks.
The agency said it had established the “full composition” of the REvil gang and thoroughly documented the extent of its activities. It accused them of having developed malicious software, organised the theft of funds from bank accounts outside Russia, and cashing out their gains.
The FSB raided 25 addresses linked to 14 members of the REvil gang and recovered more than 426 million rubles, including $600,000 and €500,000 in cryptocurrency, linked crypto wallets, computing equipment, and – as has become commonplace in such raids – a number of luxury vehicles.
Subsequently, eight of those arrested have been charged with crimes under Part 2 of Article 187 of Russia’s Criminal Code, which relates to the illegal circulation of means of payment. Russian news agency TASS named two of these individuals as Roman Muromsky and Andrey Bessonov. According to Reuters, Muromsky was known as a website developer specialising in small business sites.
Greedy goofball guys
Ziv Mador, vice-president of security research at Trustwave Spiderlabs, spends his working days exploring the dark web, which he describes as a “window into the soul” of the cyber criminal community. He says that in the days since the “unprecedented” FSB action, Russia-based cyber criminals have become terrified that time is up and there is nowhere left for them to hide.
At the end of 2021, Mador published research that pointed to a degree of concern already taking hold among some Russia-based cyber criminals, who were alarmed that the Russian authorities were actively hunting them down. This has now escalated into panic.
“We’ve seen a lot of responses on their forums since Friday, and they are very unhappy,” Mador tells Computer Weekly. “Some of them are scared. That sense of security they used to have from operating in Russia – which was considered a kind of safe haven for them – not anymore.”
In the past, Mador explains, many cyber criminals operating out of Russia had managed to wriggle out of any legal trouble they might have become embroiled in – by paying bribes, for example – but given the FSB acted on the basis of US requests, it is now clear to them that the action against REvil was signed off at the highest level – that is to say, by Vladimir Putin.
In other words, says Mador, Russian cyber criminals are running out of options and hope. Some are suggesting destroying the evidence of their heists, paper trails, chat logs and so on. Others are talking about the possibility of getting out of Russia altogether, with potential safe havens including China, India, countries in the Middle East and even, for reasons mystifying to anybody with a passing understanding of the cyber security industry, Israel.
Ziv Mador, Trustwave Spiderlabs
“In one of the comments, one of them reminds everyone how hard conditions in Russian prisons are, he even said it’s better to be in a US prison than a Russian prison. So they know that if they go to jail, it’s going to be really hard, and it scares them,” says Mador.
There is also anger directed at REvil itself, with one angry dark web forum user calling them “greedy goofball guys” who attacked “indiscriminately without understanding”. Another said: “It was necessary to think before climbing and encrypting multibillion-dollar companies, schools, states. With whom did they dare to compete?”. A third forum poster mused: “Being a superstar in our industry is a very bad idea.”
“Some of them are criticising the REvil group because they think they went too high profile and targeted very powerful companies. When you have such a huge impact, you make yourself a target, which is exactly what happened,” says Mador.
Happy days are here again
The collaboration between the US and Russia on bringing REvil to heel is, at first glance, welcome after years of hostility between the two powers on cyber and other matters, but it’s probably too early to say whether or not the arrests set a precedent for future cooperation, as Bert Steppé, senior researcher at F-Secure’s Tactical Defence unit, points out.
Steppé foresees two scenarios – one where the arrests were a one-off, and the other where they do herald the beginning of a longer-term cooperation between the US and Russia on cyber issues. “I hope it’s the latter, since I believe it’s the only way to tackle well-organised cyber crime gangs,” he says.
Either way, it’s probably best not to hold your breath for peace to break out. “Arrests by the Russian state for perpetrators of international cyber crime is largely unprecedented,” says Toby Lewis, head of threat analysis at Darktrace. “While this might suggest a landmark turning point in international effort to counter ransomware...it would be too early to consider this the start of greater cooperation, rather than short-term political manoeuvring.”
ThycoticCentrify’s chief security scientist and advisory CISO, Joseph Carson, is quick to put the boot into talk of an outbreak of peace and cooperation between Russia and the US. “We’re in a cyber cold war right now. That’s a reality. Cyber is a weapon that has been used,” he says.
Wwith the regional geopolitical situation in Eastern Europe remaining highly volatile and unstable with regard to ongoing Russian aggression against Ukraine, some commentators have speculated on a link between the FSB’s actions and the fractious negotiations between Moscow and Washington DC.
Note that the past week has also seen concerted Russia-backed cyber attacks against key Ukrainian government targets, although these actions are not linked to any known ransomware gangs.
So could the REvil arrests be an attempt to sweeten the Americans over Ukraine, or distract from the crisis? Carson concedes that while the timing might raise an eyebrow, it’s almost certainly something else.
“When you’ve got such a political situation right now in Ukraine, along with targeted cyber attacks against Ukraine, and then around the same time the takedown of a well-known, notorious ransomware gang, you can’t help but make assumptions that the timing is connected [and] a lot of people are trying to make connections. But I’m not sure it is connected,” he says.
Carson draws on the known connections between high-profile cyber crime gangs and state-backed APT groups, which have in the past turned out to be closely linked, to suggest that what actually motivated the FSB action was actually an attempt to bring Russia’s own cyber mercenary forces under control.
“It’s not that they [Russia] are taking a stance on ransomware – it’s that they’re showing the other ransomware groups that they must stay in line. Operate, but don’t get caught, don’t get your critical infrastructure hacked, don’t reveal critical information about connections and associations,” he says.
A blow to ransomware gangs
This is not the end of high-profile ransomware gangs, although we may tentatively look forward to a period of retrenchment as cyber criminals work out what to do next.
F-Secure’s Steppé says: “I suspect that these gangs are going to be more careful about their targets, and [will] refrain from attacking anything that would probably cause a huge impact, for example Colonial Pipeline, or attract lots of media attention, for example Kaseya, until it’s clear whether the REvil arrests are a one-time thing or not. So, yes, I think it’s too early to tell what the longer-term impact will be.”
Lewis at Darktrace says: “Arrests we have seen previously have had a decent tactical impact against individual groups, but the thriving marketplace for criminal services, and an ever-increasing list of groups engaging in ransomware, means that the impact via arrest is often only a short-term respite.”
Toby Lewis, Darktrace
“I don’t think it’s a famous victory. There are many more criminal groups out there,” adds ThycoticCentrify’s Carson, who points to the number of cyber criminal groups that have emerged in the past 12 months alone, which has outpaced, by some margin, the number that have been taken down. “I don’t think we’re reducing the number of gangs out there, although we may be creating a lot of smaller ones.”
One bright spot for victims is the possibility that the FSB has seized and may release a master decryption key – such a key is already available from Bitdefender, but will not work for every victim.
Lewis says the existence of such a key, or who has it, is still an unknown quantity. “Cyber security professionals and victims of REvil alike will be eagerly anticipating whether the FSB were able to seize the master key pair which would be capable of decrypting all the data REvil have previously stolen,” he says. “This will also be a question which current victims who might have been in negotiations with REvil at the time of their arrests will be keen to have answered.”
Focus on resilience
One thing is for certain, those ransomware gangs that haven’t been scared straight will quickly look to change up their tactics, techniques and procedures (TTPs).
“For the security professionals out there, the reality is the next criminals are waiting to pounce. The next attackers are out there and they’re going to have more effective techniques and more successful ransomware software,” says Carson. “Criminal groups learn from the mistakes of the past and they evolve to make sure they’re successful in the future.”
In the coming months, Carson highlights a number of scenarios that may pan out in the criminal underground in response to the REvil takedown, one being that ransomware gangs – wary of inviting the consequences of REvil’s grand heists – will seek more control over who their partners and affiliates target. This will spur the ongoing development of the ransomware-as-a-service subscription model, with new strains that could even include ‘allow’ and ‘deny’ lists of targets in their code.
For CISOs and their teams, the core advice for now remains to focus on resilience in the face of the anticipated evolution of ransomware, and in particular deploy fit-for-purpose backup strategies that are tested and ready for ransomware attacks, so that a situation where you have to consider paying a ransom is avoided, and which can recover data fast and effectively.
While this does not solve the double extortion problem of data leakage, it’s a step in the right direction and may mean the difference between a minor inconvenience and a major incident.
REvil’s history revealed
Also sometimes tracked as Sodinokibi or Sodin, REvil, which spawned out of the Gandcrab ransomware operation in 2019, first came to widespread attention in January 2020 when it carried out a crippling ransomware attack on forex services provider Travelex that ultimately contributed to the company’s demise.
But it was in 2021 when the group really started motoring, staging high-profile – and highly lucrative – cyber attacks on the likes of components supplier Quanta Computer, PC manufacturer Acer, meatpacking firm JBS Foods, and managed IT services specialist Kaseya. The gang likely also had links to the May 2021 incident at Colonial Pipeline, which crippled fuel supplies in the US for a time.
Following its attack on Kaseya, the group went dark amid talk of having massively overreached and brought unwanted attention to itself. During the summer of 2021, there was much speculation that REvil’s operators were turning their attention to new strains of ransomware, but they ultimately resurfaced in the autumn, only to find their infrastructure had been compromised by law enforcement and turned against them.
Other arrests of people associated with REvil have since been made in multiple jurisdictions in eastern Europe, including in Poland, where authorities are currently holding an individual suspected of being behind the Kaseya attack, pending extradition to the US.