ReVil Arrests. PHOTO: Cybercrime Magazine.

U.S. & Russia Vs. REvil: Who Will Win?

Malicious activity persists weeks after arrests

Charlie Osborne

London – Jan. 28, 2022

The arrest of suspected members of the REvil group has “bred fear” in the cybercriminal community — but this hasn’t stopped its activities.

When it comes to clamping down on cybercrime, the United States and Russia are far from bedfellows. The unexpected cooperation between the world powers in arresting REvil suspects, however, may have created a new benchmark — and one that cybercriminals are concerned about.

On Jan. 14, Reuters reported that at the request of U.S. officials, Russia’s Federal Security Services (FSB) domestic intelligence service detained and charged 14 alleged members of REvil, seizing 426 million roubles, hundreds of thousands in other currencies, luxury cars, and electronic equipment.

REvil is a notorious hacking group responsible for the Colonial Pipeline incident, in which a ransomware infection disrupted fuel supplies across the U.S. and triggered panic buying. The group is also considered to be the perpetrators behind a cyberattack against JBS, one of the world’s largest meat processors.

Following the arrests, Trustwave SpiderLabs researchers monitored Dark Web chatter and noted that the rare example of U.S.-Russia cooperation and “this potential new world is breeding fear in that community.”

Trustwave says there was a “great deal of anxiety and consternation” surrounding the arrests — potentially as Russia has often, in the past, turned a blind eye to cybercriminal activity as long as it took place outside of the country’s borders.

“The comments mentioned a general fear of being arrested, the possibility that their homeland is no longer a safe haven, and that cooperation with the United States and Russia will be a problem for their operations going forward,” the researchers say.

In forum posts, some users said they had no desire to go to jail, and others are concerned that forum operators themselves are working with law enforcement — and if these members do not trust each other, this could also impact their illicit business activities on underground platforms.

One user called the arrests a “terrible precedent.”

In addition, some forum members went so far as to debate the advantages — and disadvantages — of moving their operations to another country.

Others suggested the arrests may have been purely for show in order to placate world leaders at a time when tensions between Russia and Ukraine are boiling over.

“There is a strong chance that the FSB’s activity has a long-term impact on cybercrime, but only if the Russian government follows through and prosecutes those arrested to the full extent of their law,” the researchers noted. “Russian prisons are no walk in the park, and cybercriminals know that.”

The Digital Shadows team has also been monitoring the impact of the ransomware group arrests and the general attitude of Russian speakers on underground forums when it comes to law enforcement.

The forums are awash with contradictory opinions. Some users suggest that Russian cybercriminals who end up in prison will be fine and likely ignored; others say that hackers have a hard time behind bars and will be targeted as “weak” prisoners, whereas others say that corrupt prison officials may allow cybercriminals to continue their work as “hens that lay golden eggs” — but sentencing would increase in return for the privilege.

However, one core question has also been asked: do the REvil arrests matter in the grand scheme of things?

According to ReversingLabs researchers, the answer is no.

Weeks after the arrests, the firm’s threat data indicates there has been “little change in the availability of malicious files and implants associated with the group.”

Instead, the current seven-day daily average of REvil/Sodinokibi-linked implants has increased: from 26 implants per day (180 per week) from an average of 24 implants every day (169 per week) before the arrests.

“More time will be needed to assess the full impact of the arrests on REvil’s activity,” the researchers say. “But the data so far suggests either that REvil or REvil affiliates remain active or — alternatively — that there is unusually persistent background noise of REvil sycophants, impersonators, red flag operations, and yes, even researchers.”

Charlie Osborne is a journalist covering security for ZDNet. Her work also appears on TechRepublic, Cybercrime Magazine, and other media outlets. 

Go here to read all of Charlie’s Cybercrime Magazine articles.