It was recently revealed that Russian authorities had dismantled notorious ransomware as a service (RaaS) group REvil via a series of raids and arrests.
What is REvil?
REvil, also referred to as Sodinokibi, is a Russia-based ransomware gang that has plagued industry and government organizations alike with its history of brazen, high profile attacks.
In 2020, REvil engaged in attacks on victims ranging from then US president Donald Trump to celebrities including Lady Gaga and Madonna. The information stolen from Donald Trump was allegedly sold, whereas Lady Gaga suffered a leak of harmless emails and the attack on Madonna seemed to evaporate.
In 2021, REvil took its actions into high gear and rose to prominence with headline-grabbing attacks against prominent industry leaders.
In May, Brazilian company JBS, the world’s largest supplier of meat and poultry products, was forced into a temporary shutdown as a result of REvil’s ransomware attack. Grabbing the attention of the White House, the FBI confirmed REvil’s involvement in the hack. JBS reportedly paid an $11 million ransom in Bitcoin to REvil in exchange for regaining control of their network and resuming operations.
In July of 2021, REvil set their sights on Florida-based software company Kaseya. As a result of their attack on Kaseya, over 1,000 of the company’s downstream clients felt the effects of REvil’s malware, resulting in an international ransomware crisis that affected organizations ranging from schools to rail operators to grocery stores. Kaseya was able to restore their systems with the help of a third party’s decryption key and reportedly did not pay a ransom.
As REvil’s actions, as well as cyberattacks of all types, created international havoc for organizations throughout 2021, the Biden administration sought to take Moscow to task with regard to harboring cybercriminals, regardless as to whether or not they were independent or state-sponsored.
After a July 9th phone call between the leaders, President Biden said “I made it very clear to that the United States expects, when a ransomware operation is coming from their soil even though it’s not sponsored by the state, that we expect them to act if we give them enough information to act on who that is.”
REvil goes dark
Shortly after Biden and Putin’s conversation, it was noted that REvil’s online footprint, including websites and other digital infrastructure, had seemingly disappeared. This lead to speculation that pressure from government authorities had forced the group to go into hiding.
Research into REvil’s software also revealed that the gang had built in code that allowed it to cheat clients out of ransom money paid by victims. This revelation greatly soured the hacker community’s trust in REvil as a reliable RaaS provider.
October of 2021 saw an international team force REvil offline after hacking the gang’s servers. The next month also led to the arrest of two affiliated REvil members in Romania.
On January 14 of 2022, reports from Moscow indicated that Russia’s Federal Security Service (FSB) and the Ministry of Internal Affairs of Russia had effectively taken REvil down. Raids and at least 8 arrests were conducted at 25 properties linked to 14 REvil members across various parts of Russia.
The FSB’s official statement reported that the seizure of computer equipment, cryptocurrency, more than 426 million rubles, $600,000 US dollars and Є500,000 in Euros had taken place. Additionally, the raids resulted in the confiscation of 20 luxury vehicles that REvil members purchased with funds obtained from their ransomware operations.
According to a statement from the FSB, “the organized criminal community ceased to exist” and “the information infrastructure used for criminal purposes was neutralized” as a result of their actions.
Russia has been quick to assert that their deconstruction of REvil was done as an act of goodwill at the request of President Biden and other G7 nations.
However, many believe that the country’s moves against the gang were done in part to help take eyes off of Moscow during a period of escalating international tension with regard to Russia’s pressure on neighboring Ukraine. The raids took place shortly after a widespread cyberattack defaced 70 government websites belonging to the former Soviet state.
Ukrainian authorities feel that they have adequate evidence to place blame for the attack on Russia, referring to Moscow’s maneuvering as a “hybrid” war in which they engage in cyberattacks to compliment the increased physical presence of Russian troops at the countries’ shared border. Russia’s motivation is to prevent Ukraine, a country that gained independence from Russia in 1991, from further Western influence in the form of NATO membership.
Many experts believe that Russia’s actions regarding REvil have been timed in order to use the gang’s dissolution, and Russia’s continued cooperation with regard to cybercriminals, as leverage in the face of sanction threats and looming, high stakes diplomacy.
Does REvil even matter anymore?
While REvil’s takedown has important implications when it comes to the ability of government authorities to crack down on hackers, the loose structure of ransomware gangs and the continually evolving hierarchy of big players in the world of cybercrime leads some to wonder if the supposed end of REvil even matters.
Ransomware gangs have a habit of going quiet only to rebrand or reappear under a different name using similar, if not identical, malware and tactics. REvil itself is believed to be either an offshoot or a newer incarnation of a previously active gang known as GandCrab.
BlackMatter, a relatively new RaaS provider, emerged soon after DarkSide was similarly taken down by authorities after their attack on the Colonial Pipeline. BlackMatter says that it combines the best features of now crippled ransomware gangs, REvil included. Authorities and experts agree that the actors involved in these groups have nebulous loyalties with members dipping into different groups, comparing notes and repeatedly reinventing their names and associations.
What this means is that while a ransomware gang being rendered inactive may be perceived as a win for those who want bad actors to take a second thought with regard to their supposed immunity from consequences, the hydra-like nature of criminal enterprise means that vacuums rarely go unfilled for long.
This month’s decapitation of REvil may simply result in the growth of a new head and yet another player on the field in today’s war against ransomware purveyors.
- Russian Security Takes Down REvil Ransomware Gang by Tara Seals, 14 Jan 2022, Threatpost
- Russia Stops REvil by Sarah Coble, 14 Jan 2022, Infosecurity Magazine
- Kaseya hack floods hundreds of companies with ransomware by Zach Whittaker, 5 July 2021, TechCrunch
- Kaseya VSA ransomware attack – Wikipedia
- Ransomware: Biden presses Putin to disrupt cybercriminals in Russia by Christina Wilkie, 10 July 2021, CNBC
- Russian authorities take down REvil ransomware gang by Danny Palmer, 14 Jan 2022, ZDNet
- REvil: Day of reckoning for notorious cyber gang by Joe Tidy, 8 Nov 2021, BBC
- Ukraine claims Russia behind cyberattack in ‘hybrid war’ Jan 16, 2022, CNBC
- Russia Charges 8 REvil Ransomware Suspects After Raids by Mathew J Schwartz, 17 Jan 2022, Gov Info Security