News Insights: FSB Takes down REvil Ransomware Gang

News broke today about individuals allegedly associated with the REvil ransomware gang being arrested by the Russian FSB. REvil had been associated with many high-profile attacks, including one against software vendor Kaseya last year. The group had ceased operations in October 2021 due to an unexpected compromise of their infrastructure. This followed a brief summer hiatus, triggered by the group’s alleged founder, who was said to have run off with the money.

News Insights:

John Shier, Sophos Senior Security Advisor: “There is no confirmation of whether any of the self-identified leaders (e.g. UNKN, 0_neday) leaders have been arrested. The arrests by the FSB, allegedly at the request of the US government, are unusual given Russia’s stance on such crimes. The news comes at a time when political tensions between the two governments are running high and it’s easy to be cynical about the motive. At a time when Russia needs a little geopolitical goodwill, they arrest individuals associated with a defunct ransomware group. If nothing else, it serves as a warning to other criminals that operating out of Russia might not be the safe harbor they thought it was. While we can be afforded some brief time to celebrate the good news, it’s always important to remember that cybercrime isn’t just about ransomware. There are plenty of other cybercriminals, who were not impacted by these arrests, who will continue operating as usual.”

Dirk Schrader, Global VP of Security Research at NNT, now part of Netwrix: “The news about arrests of ransomware gang members and affiliates give a promising start to year 2022. We can hope that the REvil group is now dismantled in what looks like an unprecedented coordinated effort by law enforcement across the globe. Events like this should send shivers throughout the ransomware ecosystem and significantly increase the risks for current and potential future cybercriminals. Time will tell if the number of high-profile ransomware attacks eventually goes down as a result. In the past, any vacuum in the ransomware space was filled by other gangs. That said, it is too early to say whether such level of international cooperation will turn into systemic efforts to put an end to widespread ransomware attacks. Only consistent united efforts to deprive the attackers of any safe harbor can ensure long term results. Otherwise recent detentions will remain exceptional incidents. Most importantly, don’t let these arrests lull you into a false sense of security. While one major ransomware actor is taken down, other gangs may see this as a call to step up their game. IT and security teams should continuously re-evaluate the threats and risks, and adapt their processes and tools to protect the organization’s sensitive data and infrastructure.”

Ziv Mador, VP of Security Research, Trustwave SpiderLabs: “This unprecedented action from the Russian Federal Security Service (FSB) aligns with the fear that we’ve observed while conducting cybercriminal chatter reconnaissance on the Dark Web. Cybercriminals on the Dark Web indicated back in November 2021 that they believed there were secret negotiations on cybercrime between the Russian Federation and the United States and urged each other to prepare for potentially serious actions from Russia. Time will tell if REvil resources will reemerge in another form, as we’ve seen with other ransomware groups many times in the past.”