On 14 January 2022, our seemingly quiet Friday afternoons were shattered by a piece of breaking news, detailing the arrest of several REvil (aka Sodinokibi) members. Ransomware members’ arrests are always welcomed – and even more so when they are followed by video evidence of the arrests (you gotta love them; shades of the Bourne Identity with the camerawork!).
However, the team’s first reaction was nothing short of surprise. Why is that? This time the news came from an unusual source: the Russian Federal Security Service (FSB, or Федеральная служба безопасности in Russian). Before delving into why this was a strange move and how we’re making sense of it, let’s discuss the facts.
According to a press release published on its website, the FSB carried out these arrests following a request from the United States that came with detailed information on the operators of this ransomware and their previous activities. In cooperation with the Investigation Department of the Russian Ministry of Internal Affairs, the FSB conducted several raids to seize members’ assets, including: over 426 million rubles, including in cryptocurrency, 600 thousand US dollars, 500 thousand euros, as well as computer equipment, crypto wallets used to commit crimes, and 20 luxury cars purchased with money obtained from crime.
The report further claims that as a result of this operation, the REvil gang no longer exists, and the technological infrastructure used to conduct their attacks has been “neutralized.” Interestingly enough, the press release states that the arrested members are being charged with committing crimes under Part 2 of Art. 187 “ “Illegal circulation of means of payment” of the Criminal Code of Russia”, without any mentions of charges related to computer-fraud activities.
Who was REvil (Sodinokibi)?
The ransomware group REvil (aka Sodinokibi) has been one of the most significant characters in the evolving ransomware drama playing out over the past few years. The REvil ransomware variant was first detected in April 2019, and although the group initially focused on targeting Asia-based entities, the ransomware operators and associated affiliates became indiscriminate in their choice of victim and sector (apart from Russia-based organizations, as per ransomware tradition). REvil’s bold and brazen attacks, such as targeting the Kaseya desktop management software and the meat processing organization JBS, meant that the group has rarely been out of the news.
The group suddenly disappeared from the scene in July 2021, after ideally gathering enough money to retire happily on a remote island somewhere (although they’ve probably been in some decadent Russian outskirts). What happened to them? We still have no clue, but we tried to figure it out with our Analysis of Competing Hypotheses exercise that we carried out last summer. After that, the group stopped carrying out attacks, and one of its representatives showed up in October to discuss their domains’ alleged hijacking and the group’s intention to disappear from the scene.
And then after that? Absolutely nothing. No one has heard from the group’s members until today. As I said before, we couldn’t help but be surprised by this supposed Russian-American cooperation in the arrest of these 14 REvil members – and we’re left with one simple question: “Why?”.
Geopolitical Situation and Unattributed Cyberattacks
Before analyzing these arrests, let’s take a step back to analyze the bigger picture. From a geopolitical perspective, we’ve observed a growing tension between Russia and Ukraine in the past weeks. Russia conducted a build-up of more than 100,000 of its troops along the Ukrainian border and conducted several military exercises. Recent talks between the West and Russia to defuse the crisis also appeared to have reached an impasse; this week, a top Russian negotiator said diplomatic efforts had reached a “dead end.” There are credible fears of a Russian invasion into Ukraine once again, with Russia reportedly compelled to react to Ukraine’s attempts to move towards NATO membership, which would result in deepening military and economic ties with the West.
In an operation possibly tied to what we’ve just discussed, today we saw reports emerging of a significant defacement cyberattack hitting several Ukrainian government websites and making them inaccessible. The attack came with an ominous warning for Ukrainians, stating they should “be afraid and expect the worst.” This attack reportedly targeted 15 websites in Ukraine that used the October content management system and resulted in websites being defaced. This included the Ministry of Foreign Affairs, Cabinet of Ministers, Treasury, and others. Attribution for this attack is still uncertain, but the tactics, techniques, and procedures (TTPs) of the attack – along with a suspicious timeline – suggested that a Russian state-encouraged actor may have possibly been behind this attack.
Making Sense of These Arrests
This leads to today’s arrests. The cooperation and the timing of these arrests definitely seems noteworthy to us. We’re used to seeing Russia and the US in opposition when discussing cyber-related events, not cooperating against cybercriminal operations. So why did the FSB conduct these arrests?
At the time of writing, we don’t have a definitive answer. However, based on the events observed historically, we can assess the reasons behind this operation. These arrests seem to indicate some sort of willingness to provide concessions to the US and its allies, or at the very least, some semblance of cooperation. For example, increased cooperation in the cybersphere if diplomatic negotiations between the two countries would evolve into more favorable conditions for Moscow.
Additionally, it is important to notice that REvil hasn’t been active for quite a few months now. Therefore, masked behind an apparent sign of goodwill, we have to stress that REvil could greatly work as a scapegoat for other ransomware operations, and thus – again – of what cooperation between Russia and the US could look like under the right conditions.
When these big events in the cybersphere happen, it is always important to monitor how cybercriminals react. Echoing what we mentioned above, chatter on Russian cybercriminal forums suggested that REvil were “pawns in a big political game”. In addition, another user suggested that Russia made the arrests “on purpose” so that the United States would “calm down” (in relation to potential sanctions tied to the Ukrainian border disputes).
It’s possible that the FSB raided REvil knowing that the group was high on the priority list for the US, while considering that their removal would have a small impact on the current ransomware landscape. These arrests could also have served a secondary purpose to warn other ransomware groups. REvil made international news last year in its targeting of organizations such as JBS and Kaseya, which were high profile and impactful attacks; a very public series of raids could be interpreted by some as a message to be mindful of their targeting.
Ultimately, these arrests represent a significant display of potential cooperation but behind them lie critical caveats that need to be taken into account into a deeper assessment.
Monitoring the Threat Landscape
These arrests have been a pretty remarkable event for the threat landscape. At Digital Shadows (now ReliaQuest), we continue to scour the world for information about this and other law enforcement operations to keep our clients informed. If you’re curious about our intelligence, you can take SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) for a free test drive for seven days or get a customized demo to understand ransomware threats in your organization’s industry and geography.