Research | Our Q3 report details what's new in the world of ransomware.
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Find cyber threats that have evaded your defenses.
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Brands of the world trust ReliaQuest to achieve their security goals.
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
The latest threat research report from ReliaQuest Threat Research research team.
The latest white papers focused on security operations strategy, technology & insight.
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
November 30, 2023
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
While some of us might be taking it easy after the excesses of the Christmas period, January certainly hasn’t been a slow news month in the world of cybercrime. The FSB arresting alleged members of the ransomware group REvil (aka Sodinokibi) at the apparent behest of the FBI coincided with a massive cyberattack against organizations in Ukraine. We can only speculate on the exact reasons behind these arrests, but one thing we can say for sure is that these events have sent some Russian-language cybercriminal forum users’ blood pressures through the roof. Over the years, we have witnessed a constant level of chatter on the forums about the prospect of arrest and imprisonment, but the community has never appeared so worried about how their cybercriminal careers may end and how they might fare in jail. In this blog, we’ll take a look at how threat actors on Russian-language cybercriminal forums rate their prospects of being arrested and how they fancy their chances in prison.
One of our past blogs examined how cybercriminal forum users view their chances of ending up in prison. In short, we observed a widely held belief that threat actors who do not target victims in the Commonwealth of Independent States (CIS) would be protected from prosecution because of the perceived percieived corruption of the Russian legal system and the state’s apparent lack of interest in convicting its citizens who target victims in other geographies. Almost all Russian-language hacking forums forbid their users from targeting victims in the CIS, and moderators and administrators strictly enforce this rule. Similarly, the Russian constitution’s prohibition on extraditing Russian citizens appears to have led many cybercriminal forum users to believe that they will be safe as long as they do not travel outside the country. The party line was: “Stay in Russia, don’t attack Russia or its allies, and life will be sweet.” In 2020, one forum user wrote, “If you’re working on the Russian Federation, then they’ll hunt you down, but if you’re working on the EU or the US, then nothing will happen, no one will care, until you visit the EU or the US.”
Since the REvil arrests, there appears to be a common consensus that these adages no longer ring true. As one forum user put it: “A precedent has been set.” Russian hackers are now grappling with the genuine prospect of arrest on their own soil, even if they only target foreign victims. Another user commented, “if you still continue to firmly believe that if you are in the Russian Federation, then nothing will happen to you, no matter what you do, this faith will destroy you.”
As a result, questions such as: “What will happen to my stuff if I get arrested for money laundering?” or “How many years will I get for ransomware?” are becoming increasingly common on cybercriminal forums, as users worry about the arrests’ implications for their own malicious activity. Much of the debate centers around whether it is better to be incarcerated for cybercrime in Russia or the US.
Forum users generally point to three main but contradictory outcomes for cybercriminals who end up in Russian prison: an easy time, harsh treatment, or an increased sentence.
Some users suggest that other prisoners will largely ignore convicted cybercriminals because they do not care about cybercrime. They claim that as long as cybercriminals don’t boast about their ill-gotten gains, no one will pay them much attention. One user advised convicted cybercriminals not to disclose their specific industry so that other prisoners would respect them simply for being a thief. Others have said that cybercriminals will be able to “serve and enjoy” their time in jail because prisoners and staff look upon cybercrime targeting Western organizations more favorably than violent crime against Russian nationals, for example. We’ve also seen suggestions that cybercrime carries a certain kind of kudos akin to that enjoyed by bank robbers. A forum member who claimed to have served time in multiple Russian prisons wrote, “I’ve been everywhere […] they’ll beat you for other things, but not for computers.”
Other forum users, including those claiming to have served time in Russian prisons, allege that hackers are “weak nerds” who will not be tough enough for the harsh environment in Russian jails. One threat actor painted a particularly bleak picture: “if you’re so worried about this issue now, then make no mistake: if you end up [in prison], they will 100% kill you.” Another agreed, writing: “god forbid you even think about going there. It’s a world of its own.” One forum member claimed that the vory v zakone [Russian prison mafia] would force cybercriminals to work for them, even after the sentence had finished: “The Urki [career criminals] will advise the Bratva [Russian mafia] so that you work for them after your release, if you run your mouth too much.”
A third opinion holds that prison staff will look after convicted cybercriminals and may even allow them to continue their activities in prison. In 2015, one user wrote: “if you let people know that you can make money rummaging through computers,” then “they’ll give you a laptop” and “set you up in a separate cell with all the benefits”, so you can “work”, implying that any profits from cybercrime would be given to prison staff. This user noted that such treatment would not come without a cost. The same corrupt officials would allegedly find a way to increase the prisoner’s sentence: “you won’t be able to earn much, but your term [sentence length] will grow by the year,” because “no one will release the hen that lays golden eggs”.
The REvil arrests have led cybercriminals to contemplate not only jail time in Russia, but also extradition to the US, although many remain pretty confident Russia will not extradite. The consensus on Russian-language cybercriminal forums holds that while Russian prison is harsher, terms are much longer in the US, where “they’ll give you centuries to think about what you’ve done”. In 2015, after a cybercriminal’s sentence was commuted in Russia, a forum user commented: “in the US you’d be put away for 15 years for such crypting”. This belief has held into 2022. Following the REvil arrests, one user noted that the arrested individuals have been charged under money laundering laws that carry a maximum sentence of seven years. Another user commented that seven years is “a very long time,” but less than “the terms REvil would face in the US.”
Many forum users have expressed the belief that although both countries largely follow the “prison for punishment” model rather than the “prison for rehabilitation” school of thought, conditions are much harsher in Russia. Comments like, “Serving time in American prisons isn’t too bad, but the terms are long” are common. “Svezhak”, a convicted Ukrainian cybercriminal who served time in the US for bank fraud, echoed this sentiment in their memoirs, writing fondly of their treatment in some US prisons and the surprising lack of violence compared with jails in the CIS.
Some forum users have pointed out that a Russian cybercriminal’s time in a US prison would depend on their ability to speak English and assimilate to US prison culture, where inmates are often divided along racial and ethnic lines. One user wrote, “If I were given the choice to serve in a Russian/Ukrainian prison for 5-7 years or in an American prison [for the same time], I would probably still choose the American”. Another user replied, “without fluent English? […] you won’t even know the slang”, indicating that Russians who are not fluent in American culture will not fare well in US prison. It’s possible that Russians are projecting the importance of Russian prisoner dialect, which is much more than just slang, onto US prison culture, although Svezhak wrote in his memoir that he struggled in US prison until he learned English.
Some forum users highlighted the futility of comparisons between Russian and US prisons, noting that arrested cybercriminals will not have a choice in the matter and cannot plan for either outcome. These users sought to move the conversation towards improving operational security (OpSec) to avoid going to jail in the first place. Many argued that REvil members became overly confident in their abilities and took excessive risks with their OpSec, using vulnerable tools and infrastructure or boasting about their activities to friends and family. As one user put it: “It is impossible to separate technical security from personal security”.
The recent arrests have certainly got users worried. Threat actors operating out of the CIS doubt they can still count on “immunity” due to who they target. Now more than ever, they must keep looking over their shoulders, fixing past mistakes, and coming up with new ways to beat the technology used to track them. Digital Shadows (now ReliaQuest) monitors threat actor activity across the cybercriminal landscape, providing unique insights to help organizations understand the nature of the threat actors looking to get access to their assets. If you’d like to search the dark web and cybercriminal underworld for malicious mentions of your organization or exposed data for sale, sign up for a demo of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here. Alternatively, you can access a constantly-updated threat intelligence library providing insight on this and other cybercriminal-related trends that might impact your organization and allow security teams to stay ahead of the game. Just sign up for a free seven-day test drive of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here.