Destabilizing speculation

At US request, Russia rounds up 14 REvil Ransomware affiliates – Krebs on Security

The Russian government today said it had arrested 14 people accused of working for “REvila particularly aggressive ransomware group that has extorted hundreds of millions of dollars from victim organizations. The Russian Federal Security Service (FSB) said the measures were taken in response to a request from US officials, but many experts believe the crackdown is part of an effort to reduce tensions over Russian President Vladimir Putin’s decision to station 100,000 soldiers along the border with Ukraine.

FSB headquarters in Lubyanka Square, Moscow. Image: Wikipedia.

The FSB said it arrested 14 REvil ransomware members and searched more than two dozen addresses in Moscow, St. Petersburg, Leningrad and Lipetsk. As part of the raids, the FSB seized over US$600,000, 426 million rubles (~US$5.5 million), 500,000 euros, and 20 “premium cars” purchased with funds obtained from cybercrime.

“The search activities were based on the appeal of the American authorities, who denounced the leader of the criminal community and his involvement in encroaching on the information resources of foreign high-tech companies by introducing malicious software, encrypting information and extorting money for its decryption,” the FSB said. “Representatives of the relevant US authorities have been notified of the results of the operation.”

The FSB did not release the names of any of those arrested, although a report by the Russian news agency CASS mentions two defendants: Roman Gennadievich Muromsky, and Andrei Sergeyevich Bessonov. Russian media RIA Novosti posted video footage of some of the raids:

REvil is widely believed to be a reincarnation of GandCrab, a Russian-language ransomware affiliate program that boasted of stealing over $2 billion when it was shut down in the summer of 2019. For about the next two years, REvil’s “Happy Blog” would issue press releases naming and disgracing dozens of new victims each week. A February 2021 analysis by IBM researchers found that the REvil gang earned over $120 million in 2020 alone.

But that all changed last summer, when REvil teamed up with another ransomware group – Dark side – attacked Colonial Pipeline, causing fuel shortages and price spikes across the United States. A few months later, a law enforcement operation in several countries allowed investigators to hack into the operations of the REvil gang and force the group to go offline.

In November 2021, Europol announced the arrest of seven REvil affiliates who have collectively demanded more than $230 million in ransom demands since 2019. At the same time, US authorities released two indictments against two accused REvil cybercriminals, who referred to the men as “REvil Affiliate #22” and “REvil Affiliate #23”.

It is clear that the US authorities have known for some time the real names of the main captains and money makers of REvil. Last fall, President Biden told Putin he expects Russia to act when the United States shares information about specific Russians involved in ransomware activity.

So why now? Russia has amassed around 100,000 troops along its southern border with Ukraine, and diplomatic efforts to defuse the situation have reportedly failed. The Washington Post and other media today report that the Biden administration has accused Moscow of sending saboteurs to eastern Ukraine to stage an incident that could give Putin a pretext to order an invasion.

“The most interesting thing about these arrests is the timing,” said Kevin Breen, Director of Threat Research at Immersive Labs. “For years, the Russian government’s policy towards cybercriminals has been proactive to say the least. With Russia and the United States currently at the diplomatic table, these arrests are likely part of a much larger, multilevel political negotiation.

President Biden has warned that Russia can expect stiff penalties if it chooses to invade Ukraine. But Putin in turn said such sanctions could cause a complete severance of diplomatic relations between the two countries.

Dmitri Alperovitch, co-founder and former chief technology officer of security firm CrowdStrike, called REvil’s arrests in Russia “ransomware diplomacy.”

“It’s Russian ransomware diplomacy,” Alperovitch said on Twitter. “This is a signal to the United States – if you do not enact tough sanctions against us for invading Ukraine, we will continue to cooperate with you in ransomware investigations.”

REvil’s arrests came as many government websites in Ukraine were defaced by hackers with an ominous message warning Ukrainians that their personal data was being uploaded to the internet. “Be afraid and expect the worst,” the message warned.

Experts say Ukraine has good reason to be afraid. Ukraine has long been used as a testing ground for Russian offensive hacking capabilities. State-backed Russian hackers have been blamed for the December 23, 2015 cyberattack on Ukraine’s power grid that left 230,000 customers trembling in the dark.

The warning left on Ukrainian government websites that have been deleted in the last 24 hours. The same statement is written in Ukrainian, Russian and Polish.

Russia has also been suspected of releasing NotPetya, a large-scale cyberattack initially aimed at Ukrainian companies that ended up creating an extremely disruptive and costly global malware epidemic.

Although there has been no clear attribution of these latest attacks to Russia, there are reasons to suspect Russia’s hand, said David Salva, Deputy Director of the Alliance for Securing Democracy.

“These are tried and tested Russian tactics. Russia used cyber operations and information operations in preparation for its 2008 invasion of Georgia. It has a long history of carrying out massive cyber attacks against Ukrainian infrastructure, as well as information operations targeting Ukrainian soldiers and Ukrainian citizens. And it is absolutely no surprise that he is using these tactics now, when it is clear that Moscow is looking for any pretext to invade Ukraine again and blame the West with its typical cynicism.