Russia’s dismantling of the notorious ransomware crime group REvil at the request of the United States indicates a shift in how the two countries tackle cybercrime, Israeli cybersecurity experts believe.
REvil, which stands for Ransomware Evil, was a Russia-based threat actor that utilized ransomware-as-a-service (RaaS) to target organizations. In ransomware attacks, cybercriminals infiltrate a computer system and block access to critical files and data, demanding that organizations pay a ransom to restore the system to its previous condition.
REvil recruited affiliates to distribute their ransomware for them, making it exceedingly difficult to pinpoint their location.
As part of its sweep, Russia detained and charged 14 people linked to REvil and seized $600,000, computer equipment and 20 luxury cars, the country’s Federal Security Service (FSB) said on Friday.
Sygnia, a Tel Aviv-based cybersecurity firm, said that it had come up against REvil several times.
“They were one of the most prolific [cybercrime groups],” David Warshavski, VP for enterprise security at Sygnia, told The Media Line. “They claimed to have made over $100 million in a year.”
The group had infamously carried out several high-profile cyberattacks on the US in recent months, including on the Colonial Pipeline last spring, which led to widespread gas shortages on the East Coast. They are also suspected of having attacked JBS SA, the world’s leading meatpacking company, back in June.
Friday’s arrests were a rare show of US-Russian collaboration, which may indicate a shift in how the countries tackle cyberthreat actors.
“Up until recently we didn’t see Russia taking a more aggressive stance,” Warshavski noted. “That changed with the attacks on JBS Foods and the Colonial Pipeline. After this, you see the US administration taking a stance. [US President Joe] Biden gave [Russian President Vladimir] Putin a list of 16 industries that threat actors are not allowed to touch.”
As a result of this change in policy, some cybercrime groups have begun to shift their malicious efforts away from North America and focus on other regions where there is a lower risk of retaliation, such as the Asia-Pacific or Latin America, according to Warshavski. Israel is not really a major target for these threat actors because of its small size.
REvil, and groups like them, prioritize attacks on organizations that they believe will be more likely to pay them a higher ransom.
“The nature of these attacks is extremely opportunistic,” he said. “Many times these attackers choose the path of least resistance. We’ve seen this group target various sectors: retail, operation technology, banking, transportation, insurance, and even a charity organization.”
Most cyberthreat actors work out of Russian-speaking countries or China, where they can operate with impunity due to lax law enforcement. “The [Russians] can stop them if they want to,” Warshavski asserted. The sweep on REvil comes amid heightened tensions between the US and Russia over a
potential conflict with Ukraine. Just a few days ago, Ukraine was hit by a massive wave of cyberattacks that shut down several government websites. Washington may have exerted significant pressure on Moscow to act against cybercriminals in light of those developments.
“I don’t think it’s a coincidence,” Warshavski said. “I think that it’s maybe an attempt by the [Russian] government to say, ‘Look here! Look at the good things that we’ve done.’” The unusual show of collaboration also suggests that governments are embracing a more hands-on approach to responding to cybercrime, said Arie Zilberstein, Sygnia's VP of incident response.
“By strengthening and increasing collaboration, we can potentially slow down the proliferation of ransomware threats and ultimately, shut down some groups,” Zilberstein said in a statement that was shared with The Media Line. “Cybercriminal activity requires law enforcement worldwide to reorganize and collaborate.”
Unfortunately, though the arrests on Saturday represent a positive turn of events they do not mark the end of REvil.
“The fact that this is a very prominent group assumed to have roots and affiliates around the world means that it is likely that we will see the group, or its affiliates, emerge under a different brand in the near future.”