Authorities seize assets and breakdown malicious infrastructure
I can’t lie, writing this article is cathartic. For well over a year now, I’ve been following the antics of ransomware gangs and their catastrophic effect on people’s lives. From hospitals to schools, these ghoulish mobs of digital thieves have mercilessly put anyone in their crosshairs in hopes to score a quick buck. During the height of the COVID-19 pandemic, hospitals and medical facilities were pressed to breaking, with nurses overworked and understaffed among dozens of other problems. Did ransomware gangs care? No, of course not.
So, when I read that REvil, one of – if not the most – infamous ransomware gang, has had its infrastructure gutted with numerous arrests made, I am ecstatic.
The “liquidation” of REvil
The US has been well aware of this particular ransomware gang for a long while. But actions against said gang proved challenging, as it required cooperative action of both the FBI and Russian’s Federal Security Service. President Biden has put pressure on Putin to take action against these gangs since their origin is in parts of Russia. Given the tense nature of this international relationship, it’s proven challenging to say the least.
But at the request of US authorities, as reported, the FSS conducted numerous arrests, recovered millions in stolen assets, and effectively disemboweled REvil’s operations. If you needed a reminder, REvil is the gang responsible for massive infrastructure attacks, such as against JBS Foods, the Kaseya attack, and of course, the Colonial Pipeline attack. Frustrating, no doubt, for those impacted. Not only because of the impact it had on daily lives, but because there was virtually no repercussion at the time.
Important to note though that REvil’s downfall was not swift and immediate. Like any leviathan, it took a “death by a thousand cuts” approach. Their services, for example, were cut off for a period of two months in 2021. They remerged as a RaaS (ransomware as a service) model afterward, though not at full strength. They even drew scrutiny among their own dark market ranks by cutting up their profit margins.
The arrests
The FSB made sweeping arrests over 25 different locations, primarily in Lipetsk, Moscow, Leningrad, and St. Petersburg. The assets recovered totaled $5.6 million USD, €500,000, various cryptocurrencies, and luxury cars. 14 individuals were also arrested, under the charge of “illegal circulations of payment.”
Breaking a symbol
How does this fit into the overall picture of cybercrime? The bad news is, it’s a small victory against a tide of attackers and other ransomware gangs. The dark web flourishes with new activity and threats, and will likely continue to do so.
Extortion leak sites and gangs like Lockbit 2.0 provide ample evidence that attackers are still numerous and rife with resources. Given the stresses provided by COVID/political turmoil, the foundation is ideal for more attacks. And, remote work is shifting to an established norm, raising the need for good cybersecurity.
But the good news is the symbolic victory against REvil. As one of the infamous ransomware gangs, the message is clear: international efforts to take down malicious actors is increasing, and there are consequences to destabilizing infrastructure.
The effort has also been a major collaboration of international authorities. Various arrests made in places such as Germany and Ukraine helped build information to continue destabilizing REvil.
Still, problems remain, primarily in that ransomware and malicious gangs find safe haven in Russia. The “ethics” behind this logic is that hackers agree to avoid attacking/disrupting Russian infrastructure in exchange for protection. Given that Russia’s geopolitical nature is aloof, to put it one way, it makes sense. If you can’t hurt your geopolitical foes directly, indirect infrastructure attacks are just as good.
Researchers note that the hives of gangs operating on Russian servers go by a modus operandi: “protect the motherland, the motherland protects you.”
At least, it appears, when your usefulness ends.
This is the death knell for REvil, and a message to other threat actors. With continued cooperation, we’ll hopefully see more ransomware gangs fall apart too.
-Douglas James
