Research | Our Q3 report details what's new in the world of ransomware.
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Find cyber threats that have evaded your defenses.
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Brands of the world trust ReliaQuest to achieve their security goals.
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
The latest threat research report from ReliaQuest Threat Research research team.
The latest white papers focused on security operations strategy, technology & insight.
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
November 30, 2023
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
On 14 January 2022, our seemingly quiet Friday afternoons were shattered by a piece of breaking news, detailing the arrest of several REvil (aka Sodinokibi) members. Ransomware members’ arrests are always welcomed – and even more so when they are followed by video evidence of the arrests (you gotta love them; shades of the Bourne Identity with the camerawork!).
However, the team’s first reaction was nothing short of surprise. Why is that? This time the news came from an unusual source: the Russian Federal Security Service (FSB, or Федеральная служба безопасности in Russian). Before delving into why this was a strange move and how we’re making sense of it, let’s discuss the facts.
According to a press release published on its website, the FSB carried out these arrests following a request from the United States that came with detailed information on the operators of this ransomware and their previous activities. In cooperation with the Investigation Department of the Russian Ministry of Internal Affairs, the FSB conducted several raids to seize members’ assets, including: over 426 million rubles, including in cryptocurrency, 600 thousand US dollars, 500 thousand euros, as well as computer equipment, crypto wallets used to commit crimes, and 20 luxury cars purchased with money obtained from crime.
The report further claims that as a result of this operation, the REvil gang no longer exists, and the technological infrastructure used to conduct their attacks has been “neutralized.” Interestingly enough, the press release states that the arrested members are being charged with committing crimes under Part 2 of Art. 187 “ “Illegal circulation of means of payment” of the Criminal Code of Russia”, without any mentions of charges related to computer-fraud activities.
The ransomware group REvil (aka Sodinokibi) has been one of the most significant characters in the evolving ransomware drama playing out over the past few years. The REvil ransomware variant was first detected in April 2019, and although the group initially focused on targeting Asia-based entities, the ransomware operators and associated affiliates became indiscriminate in their choice of victim and sector (apart from Russia-based organizations, as per ransomware tradition). REvil’s bold and brazen attacks, such as targeting the Kaseya desktop management software and the meat processing organization JBS, meant that the group has rarely been out of the news.
The group suddenly disappeared from the scene in July 2021, after ideally gathering enough money to retire happily on a remote island somewhere (although they’ve probably been in some decadent Russian outskirts). What happened to them? We still have no clue, but we tried to figure it out with our Analysis of Competing Hypotheses exercise that we carried out last summer. After that, the group stopped carrying out attacks, and one of its representatives showed up in October to discuss their domains’ alleged hijacking and the group’s intention to disappear from the scene.
And then after that? Absolutely nothing. No one has heard from the group’s members until today. As I said before, we couldn’t help but be surprised by this supposed Russian-American cooperation in the arrest of these 14 REvil members – and we’re left with one simple question: “Why?”.
Before analyzing these arrests, let’s take a step back to analyze the bigger picture. From a geopolitical perspective, we’ve observed a growing tension between Russia and Ukraine in the past weeks. Russia conducted a build-up of more than 100,000 of its troops along the Ukrainian border and conducted several military exercises. Recent talks between the West and Russia to defuse the crisis also appeared to have reached an impasse; this week, a top Russian negotiator said diplomatic efforts had reached a “dead end.” There are credible fears of a Russian invasion into Ukraine once again, with Russia reportedly compelled to react to Ukraine’s attempts to move towards NATO membership, which would result in deepening military and economic ties with the West.
In an operation possibly tied to what we’ve just discussed, today we saw reports emerging of a significant defacement cyberattack hitting several Ukrainian government websites and making them inaccessible. The attack came with an ominous warning for Ukrainians, stating they should “be afraid and expect the worst.” This attack reportedly targeted 15 websites in Ukraine that used the October content management system and resulted in websites being defaced. This included the Ministry of Foreign Affairs, Cabinet of Ministers, Treasury, and others. Attribution for this attack is still uncertain, but the tactics, techniques, and procedures (TTPs) of the attack – along with a suspicious timeline – suggested that a Russian state-encouraged actor may have possibly been behind this attack.
This leads to today’s arrests. The cooperation and the timing of these arrests definitely seems noteworthy to us. We’re used to seeing Russia and the US in opposition when discussing cyber-related events, not cooperating against cybercriminal operations. So why did the FSB conduct these arrests?
At the time of writing, we don’t have a definitive answer. However, based on the events observed historically, we can assess the reasons behind this operation. These arrests seem to indicate some sort of willingness to provide concessions to the US and its allies, or at the very least, some semblance of cooperation. For example, increased cooperation in the cybersphere if diplomatic negotiations between the two countries would evolve into more favorable conditions for Moscow.
Additionally, it is important to notice that REvil hasn’t been active for quite a few months now. Therefore, masked behind an apparent sign of goodwill, we have to stress that REvil could greatly work as a scapegoat for other ransomware operations, and thus – again – of what cooperation between Russia and the US could look like under the right conditions.
When these big events in the cybersphere happen, it is always important to monitor how cybercriminals react. Echoing what we mentioned above, chatter on Russian cybercriminal forums suggested that REvil were “pawns in a big political game”. In addition, another user suggested that Russia made the arrests “on purpose” so that the United States would “calm down” (in relation to potential sanctions tied to the Ukrainian border disputes).
It’s possible that the FSB raided REvil knowing that the group was high on the priority list for the US, while considering that their removal would have a small impact on the current ransomware landscape. These arrests could also have served a secondary purpose to warn other ransomware groups. REvil made international news last year in its targeting of organizations such as JBS and Kaseya, which were high profile and impactful attacks; a very public series of raids could be interpreted by some as a message to be mindful of their targeting.
Ultimately, these arrests represent a significant display of potential cooperation but behind them lie critical caveats that need to be taken into account into a deeper assessment.
These arrests have been a pretty remarkable event for the threat landscape. At Digital Shadows (now ReliaQuest), we continue to scour the world for information about this and other law enforcement operations to keep our clients informed. If you’re curious about our intelligence, you can take SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) for a free test drive for seven days or get a customized demo to understand ransomware threats in your organization’s industry and geography.