Security Experts:

Five Key Signals From Russia's REvil Ransomware Bust

Russia cracks down in REvil ransomware gang

The sudden move by Russia's top law enforcement agency to conduct a very public takedown of the REvil ransomware operation has set tongues wagging about how diplomacy may hold the key to slowing big-game ransomware attacks.

The sting operation, which was followed by a carefully crafted announcement that it was done “at the request of the United States,” comes amidst a larger Russia-Ukraine geo-political conflict that is already being linked to data-wiping malware attacks and targeted web-site defacements. 

The U.S. government has publicly blamed Russia for ignoring multiple high-profile ransomware attacks that cripped gas pipelines and disrupted food and beverage operations and the White House last year insisted on “follow-up actions” after sharing data on Russian ransomware wealth transfer activity.

Now, it appears the Russians are signaling a solitary follow-up action in a very deliberate manner, a move no doubt tied to larger diplomatic negotiations surrounding military conflict and economic sanctions.  

It’s worth closely examining the five major signals being sent to understand how the ransomware ecosystem shakes out the rest of this  year:

1. Ransomware can be (partially) solved with diplomacy: 

Everything about this operation screams .gov diplomacy at work. The Russians put on a show, posting raid videos alongside a carefully orchestrated announcement that the crackdown was a gift to the Americans. 

The FSB press release made it very clear that it was a response to a request from the U.S., an obvious signal it was willing to use its law enforcement reach to cooperate on cybersecurity issues.

While many remain skeptical (more on the REvil takedown choice later), this is confirmation that a willing government can effectively thwart major cybercriminal activity, especially those with geo-political and national security implications. A few meetings by politicians could lead to a sudden law enforcement directive and the eventual knee-capping of cybercriminals. 

It shows that an all-hands global law enforcement initiative can provide comfort to network defenders struggling to pry ransomware from corporate networks.

[READSecurityWeek Cyber Insights 2022: Ransomware ]

2. REvil was low-hanging fruit: 

It’s interesting that the Russians chose REvil to be the target for this operation. The truth is that REvil’s malware operation was already compromised by U.S. government and law enforcement allies in the west. 

As I wrote last October, a U.S.-led law enforcement hack-back operation led to the seizure of Tor servers and effectively crippled REvil after the gang was blamed for the Colonial Pipeline hack and the Kaseya supply chain compromise

Since REvil was already disrupted and its operators known by U.S. authorities, it was pretty easy for Russia’s negotiators to publicly signal it may be cooperative on other bigger fish if the Americans are willing to make bigger deals.

I asked someone deep in the nation-state malware tracking space for his take and his response makes total sense: “It's obvious what the signal is.  It’s also  important that the signal is correctly understood by everyone.  You asked us to do something about ransomware and we did.  Now what will you do for us?”

[ READ: REvil Ransomware Gang Hit by Law Enforcement Hack-Back Operation ]

3. Driving fear into criminal gangs:

A big side-effect of this takedown will be deterrence. Regardless of the charges -- those arrested face lighter money-laundering charges because cybercrime laws require Russian victims -- there is nothing fun about being incarcerated in Russia, especially in January.

While most of those arrested are believed to be low-level REvil affiliates in the ransomware ecosystem, it is a direct lesson to the masterminds and gang leaders that they are expendable assets in diplomatic negotiations.

This deterrence will likely lead to a noticeable decline in bold-face attacks and more attempts by cybercriminals to cover tracks or shut down entire operations, much like we saw with DarkSide after the Colonial Pipeline hack 

[ READ: DarkSide Ransomware Shutdown: An Exit Scam or Running for Hills? ]

4. The Iran-North Korea ransomware connection:

While the REvil takedown is being viewed within the lens of the U.S.-Russia relationship, there are at least two nation-states -- North Korea and Iran -- using ransomware attacks and crypto-bank heists to get around economic sanctions.

If the Russians can use ransomware damages as leverage in negotiations, it sets a precedent for other nations to pursue the same strategy. North Korean hackers stole a whopping $400 million worth of cryptocurrencies in 2021 and there are documented ransomware attacks coming from nation state-backed actors in Iran.

Expect to see these .gov threat actors outsourcing sanctions-busting ransomware operations to mercenary private sector actors in attempts to dodge attribution or set up future diplomatic negotiations.

[ READ: Microsoft Uncovers Destructive Malware Used in Ukraine Cyberattacks ]

5. The value of (good) attribution

One of the more interesting things to watch is the U.S. government’s use of a high-quality attribution in the new “sand-and-friction” strategy being used to disrupt apex predators, including actors in the ransomware ecosystem. 

The strategy includes multi-agency advisories with specific warnings about targeted APT activity and the use of direct attribution on social media to expose tools and IOCs to help defenders. This high-quality attribution is crucial for the level of .gov information sharing that leads to REvil gang arrests.

Attribution can be a tricky discipline but its value has never been more urgent. 

It's important for the cybersecurity industry to understand the twists and turns of the ransomware ecosystem, even when governments and diplomats take control of the conversations. 

Related: Russia Lays the Smackdown on REvil Ransomware Gang

Related: Ukraine Hacks Add to Worries of Cyber Conflict With Russia

Related: DarkSide Ransomware Shutdown: An Exit Scam or Running for Hills

Related: REvil Ransomware Gang Hit by Law Enforcement Hack-Back Operation

Related: US Treasury Sanctions Crypto Exchange in Anti-Ransomware Crackdown 

Virtual EventRegistration open for Ransomware Resilience & Recovery Summit - Jan. 26

view counter
Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a journalist and cybersecurity strategist with more than 20 years experience covering IT security and technology trends. Ryan has built security engagement programs at major global brands, including Intel Corp., Bishop Fox and Kaspersky GReAT. He is a co-founder of Threatpost and the global SAS conference series. Ryan's career as a journalist includes bylines at major technology publications including Ziff Davis eWEEK, CBS Interactive's ZDNet, PCMag and PC World. Ryan is a director of the Security Tinkerers non-profit, and a regular speaker at security conferences around the world. Follow Ryan on Twitter @ryanaraine.