High anxiety spreads among Russian criminal groups in wake of REvil raid

The crackdown on members of the REvil ransomware gang by agents of the Kremlin’s domestic security force January 14 is sending a wave of distress and dread through the Russian hacker underground, according to researchers at Trustwave’s SpiderLabs.

“What our researchers found was a great deal of anxiety and consternation from those who participate in these Dark Web forums regarding the FSB arrests and how those actions will impact them in the future,” Trustwave noted Friday in a company blog post.

“The comments mentioned a general fear of being arrested, the possibility that their homeland is no longer a safe haven, and that cooperation with the United States and Russia will be a problem for their operations going forward,” the blog added.

It cited one forum member declaring: “This is a big change. I have no desire to go to jail.”

Russia acting on ransomware is rare

After nearly a week of monitoring chatter on Russian hacker forums, we noticed a huge change from the past in tone among the members of the online meeting sites, says SpiderLabs vice president of security research Ziv Mador.

“In the past, cybercriminals felt very safe in Russia,” he says. “As long as they didn’t attack local targets, they felt they’d be fine. Russian cybercriminals had been arrested traveling outside the country, but this time they were arrested in Russian cities,” he continues. “That was a shocking moment for them.”

“Russia acting on any cybercrime report, especially ransomware, is especially rare,” adds John Bambenek, principle threat hunter at Netenrich, an IT and digital security operations company. “Unless it involves child exploitation or Chechens, cooperation with the FSB just doesn’t happen.”

Was the Russian raid “a show” for international consumption?

There were some skeptics of the significance of the REvil raid in the forums monitored by SpiderLabs. One forum member raised the possibility that the FSB operation was, in fact, faked or was only “a show” for international consumption, Trustwave noted. This thought allowed them to hold out hope that the FSB’s move would not end with serious punishments for the arrestees.

“It is doubtful that this represents a major change in Russia’s stance to criminal activity within its borders—unless they target Russian citizens—and more that their diplomatic position is untenable, and they needed to sacrifice a few expendables to stall more serious geopolitical pressure,” Bambenek maintains. 

“In three months, if there isn’t another major arrest, it’s safe to assume no real change has happened with Russia’s approach,” Bambenek said. “Nevertheless, it’s a big arrest and will have significant short-term impact to reduce ransomware.”

REvil had been inactive for months

The fact that the FSB targeted REvil, which had not been publicly active in conducting attacks since October 2021, is also significant, adds Chris Morgan, a senior cyber threat intelligence analyst with Digital Shadows, provider of digital risk protection solutions. “It’s possible that the FSB raided REvil knowing that the group was high on the priority list for the U.S., while considering that their removal would have a small impact on the current ransomware landscape,” he says.

Dirk Schrader, global vice president at New Net Technologies, a provider of IT security and compliance software, adds that only time will tell if the REvil raid will decrease ransomware attacks. “It is too early to say whether such a level of international cooperation will turn into systemic efforts to put an end to widespread ransomware attacks,” he says. “Only consistent, united efforts to deprive the attackers of any safe harbor can ensure long term results.”