Storm in "Safe Haven": Takeaways from Russian Authorities Takedown of REvil

By Yelisey Boguslavskiy

On January 14, 2022, the Russian Federal Security Service (FSB) claimed that they had arrested and shut down the REvil ransomware gang in Moscow and St. Petersburg cities and districts in response to the U.S. authorities' request.

This became one of the first and largest Russian-lead operations on arresting cybercrime group members active against Western countries per U.S. government request.

"[+] Whats Happen [+]"

AdvIntel has extensively tracked any underground chatter and most importantly, the reaction of other ransomware groups in order to identify if this arrest can significantly shift the ransomware ecosystem. The ransomware gang members do not believe that the arrest may lead to any significant changes

  • Overall, criminals conclude that this arrest was a publicity operation aimed at a formal public demonstration of Russia's political intent to cooperate with the West on combating ransomware, by targeting low-tier members of an already defunct group. As such, this is a single operation and not a defined policy that can affect the cybercrime domain.

  • The timing of this arrest is coincidental with the recent U.S.-Russia security talks and can be directly related to the political discussions within the geopolitical relationships between the countries.

  • The arrests are related to the hacking group charged only so far for the "illicit money control/laundering" and not hacking. This may be defined by the domestic policies which Russian applies to de-criminalize hacking and criminalize cryptocurrency anonymity. Such policies aim at bringing a stronger state control over the ransomware market.

(The official announcement by the FSB clearly state that the arrest has been conducted on the grounds of the request from the U.S. security officials)

Video of the purported arrest:

Adversarial Perspective: Underground Insights

Today AdvIntel has extensively tracked any underground chatter and most importantly, the reaction of other ransomware groups in order to identify if this arrest can significantly shift the ransomware ecosystem. Our preliminary findings identify a clear consensus within the ransomware community that the arrest itself is not yet significant since it is a part of a long-term process initiated by Russian law enforcement since Spring 2021. A process associated with high-profile ransomware attacks against the U.S. critical infrastructure and inherently related to the broader geopolitical context of US-Russia relationships.

Indeed, previously AdvIntel has identified private statements by ransomware top-affiliates and leaders in the groups including Avaddon, Darkside, HIVE, and BlackMatter, who claimed that since Spring 2021, the Russian security apparatus has been applying gradual pressure on ransomware. For instance, high-profile actors directly affiliated with the Avaddon gang claimed that it was a direct pressure by the FSB that forced the group to release security keys. Similar statements were made on underground forums regarding Darkside and REvil when the groups released attack-related information. Even Conti ransomware, which is known for its resilience, has expressed concerns over potential pressure from Russian law enforcement.

As such, the ransomware community remains skeptical of the arrest. AdvIntel's sensitive source intelligence confirmed that Russian-speaking criminal actors agree that the individuals who were arrested today are most likely low-tier affiliates who have directly linked to the REvil auxiliary operations such as money transfers, money laundering, and other support activities that follow ransomware attacks. In other words, threat actors are confident that neither developers nor skillful pentesters of REvil have been arrested based on the AdvIntel insights into the actual affiliate ecosystem.

The broader non-ransomware underground chatter is characterized by generic comments and moderate support of REvil's arrest. This support is due to the group's poor reputation across the Russian-speaking cybercrime. Some cheer since Revil was known across the underground as a group scamming their affiliates, in this sense, the forum actors believe that the arrest indeed serves some sort of justice.

The underground community agrees that REvil has been continuously making strategic mistakes by focusing on political publicity, committing political attacks, and attracting media and public attention. Actors conclude that if a certain group remains within a traditional cybercrime pass, i.e. being strictly non-public and for-profit, such a group can sustain peacefully and continue to operate.

(The moderator of the XSS and Exploit forums who is responsible for audit and review of all ransomware and malware partnerships on these two major forums has been one of the most consistent critics of REvil)

Actors from the older generation of cybercrime recall their traditional comment that ransomware is a form of intellectual primitivism, as it does not require sophistication. (read more in AdvIntel’s research: [DarkWeb Insights] The Digital "Thief War"​: How COVID-19 Pandemic Triggered a Generational Conflict). They add that due to this primitivism it was not surprising that ransomware operators were caught so easily.