Russian Security Takes Down REvil Ransomware Gang

At the request of U.S. authorities. Russia’s Federal Security Provider (FSB) has swooped in to “liquidate” the REvil ransomware gang, it mentioned on Friday.

In accordance to regional reports, the country’s principal security agency raided 25 areas in Leningrad, Lipetsk, Moscow and St. Petersburg, seizing property truly worth extra than $5.6 million (426 million rubles) in various forms, which include $600,000 €500,000 several cryptocurrency quantities and 20 luxurious automobiles.

The FSB claimed that a whole of 14 alleged cybercriminals have been also caught up in the raid and have been  billed with “illegal circulation of implies of payment.” The security assistance also reported that it “neutralized” the gang’s infrastructure.

The impetus for the attack was reportedly a official request for action from U.S. authorities, “reporting about the chief of the legal group and his involvement in encroachments on the info assets of overseas high-tech organizations by introducing destructive application, encrypting information and extorting dollars for its decryption,” in accordance to an FSB media assertion.

It additional, “As a end result of the joint actions of the FSB and the Ministry of Internal Affairs of Russia, the arranged criminal neighborhood ceased to exist, the data infrastructure made use of for criminal purposes was neutralized. Representatives of the proficient U.S. authorities have been knowledgeable about the final results of the operation.”

The shift arrives two months right after a higher-stakes phone contact among Russian President Vladimir Putin and U.S. President Joe Biden, who has been contacting for action against Russia-dwelling ransomware gangs for months.

REvil (aka Sodinokibi) once rose to dominance as a important fixture in the ransomware extortion racket – locking up big-fish goal networks (like JBS Meals) and extracting hundreds of thousands in ransom payments. It designed headlines past calendar year with the sprawling zero-working day supply-chain attacks on Kaseya’s consumers and was linked to the notorious Colonial Pipeline cyberattack, sparking an formal shout-out from Biden with a desire that Putin shut down ransomware groups nesting in his nation. Shortly after that, in July, REvil’s servers mysteriously went dark and stayed that way for two months.

By late summertime, the group was reborn as a ransomware-as-a-provider (RaaS) participant, although by all accounts it was running at a fraction of its previous ability and missing vital staff. It is most important coder, UNKN (aka Not known), for occasion, reportedly still left the group. It also acquired into issues in the cyber-underground for reducing its RaaS affiliate marketers out of their fair share of ransom payments.

REvil Takedown: Will it Issue?

The documented takedown might have defanged a brand-identify ransomware operator, but REvil is much from what it applied to be, and other teams go on to strike with impunity. LockBit 2., for occasion, has been flourishing, as evidenced by Herjavec Group’s LockBit 2. profile and its lengthy checklist of LockBit 2.0’s victims.

Ransomware alternatives are growing in availability, too Team-IB a short while ago located that 21 new RaaS affiliate applications sprang up in excess of the previous year, and the quantity of new double-extortion leak web sites a lot more than doubled to 28, the report said.

In other words and phrases, this action may possibly be simply a tiny acquire in the substantially bigger battle versus ransomware. But REvil has turn into an vital symbolic goal in the battle – not the very least for its likely ties to Colonial Pipeline – and has been significantly in authorities crosshairs around the world.

In Oct, a multi-region undercover effort led to REvil’s servers currently being briefly taken offline. In November, Europol introduced the arrest of a full of seven suspected REvil/GandCrab ransomware affiliate marketers – like a Ukrainian countrywide billed by the United States with ransomware assaults that incorporate the Kaseya attacks. Other international locations have also snagged affiliates (random cyberattackers who rent REvil’s infrastructure), which does not affect the key gang but in October, Germany identified an alleged main REvil operator, hiding in Russia and far from the attain of extradition.

Russia, for its portion, may possibly obtain some kudos for this week’s action, even though researchers have very long noted that the region has long supplied a protected haven for ransomware masterminds, who stay clear of attacking Russian targets in exchange.

“In Russia, they virtually have no fear of staying arrested,” Jon DiMaggio, danger group researcher and main security strategist at Analyst1, a short while ago explained, talking about the cyber-underground’s collective shrug at the news that REvil affiliate marketers were becoming busted. “They make responses like, ‘protect the motherland, the motherland protects you’…They put Russian flag icons on their messages.”

Could that be modifying? Only time will explain to.

Password Reset: On-Demand from customers Function: Fortify 2022 with a password-security tactic built for today’s threats. This Threatpost Security Roundtable, designed for infosec experts, facilities on enterprise credential administration, the new password principles and mitigating put up-credential breaches. Join Darren James, with Specops Software package and Roger Grimes, protection evangelist at KnowBe4 and Threatpost host Becky Bracken. Register & stream this Free session today – sponsored by Specops Software.