In a rare piece of cybersecurity good news, in mid-January 2022 Russian security services announced the arrest in Moscow, St. Petersburg, and Lipetsk of 14 alleged members of the world’s most notorious ransomware group, REvil (pronounced AreEvil).
As cybercriminal busts go, this one confirmed every stereotype of the hacking underworld. Video released on the Russian VK news site shows images of alleged criminals pinned to the floor by plainclothes policemen, huge slabs of Russian bank notes, and mentioned the seizure of 20 expensive sports cars said to have been bought with ransom proceeds.
And not a moment too soon, the group’s many mostly U.S.-based victims might say. Since its first appearance around 2019, REvil (a.k.a. ‘Sodinokibi’) has established itself as arguably the No. 1 brand in the ransomware space, culminating with a sequence of spectacular attacks last summer that brought several big organizations to a standstill.
REvil: a Brief History
Attribution is sometimes difficult with REvil, because it operates a ransomware-as-a-service (RaaS) business model in which its malware platform is used by its own hackers for some attacks, while others are conducted by affiliates on a revenue sharing basis. Nevertheless, the following incidents have been reliably connected to REvil:
- A major ransomware attack on Brazilian meat producer JBS in May 2021, which shut down plants in the U.S., Australia, and Brazil. An $11 million ransom was demanded and, reportedly, paid. Within days, the FBI blamed REvil for the attack by name.
- An April 2021 attack on Apple chip maker Quanta Computer. After the $50 million ransom was not paid, the group released data on forthcoming Apple laptops.
- An attack in July 2021 on 50-60 managed service providers (MSPs) using the Kaseya VSA remote management software, which impacted up to 1,500 of their customers. The ransom demanded was a reported world record $70 million, which Kaseya said it did not pay.
- The infamous attack on Colonial Pipeline that forced millions of people in the northeast of the U.S. to queue for gasoline. Colonial reportedly paid $4.4 million in Bitcoins, some of which was later recovered by the U.S. authorities in obscure circumstances. Although claimed by the DarkSide group, the malware used was based on REvil’s.
In short, some of the biggest attacks were recorded in 2021—so big, in fact, that at times it appeared the group’s MO was as much about attacking big targets for maximum publicity as it was about making outrageous ransom demands. REvil’s notoriety quickly made it Public Enemy No. 1, eventually leading to some arrests outside Russia and the partial disruption of the group’s infrastructure. The latest arrests look like the icing on that cake.
Is REvil gone for good? And if it is, might this be a turning point in the decade-long battle to hold cybercriminals accountable using old-fashioned criminal justice?
Assuming the suspects are guilty as charged, history suggests that arresting one cybercrime group simply creates space for rivals to move into. There are, after all, a lot of ransomware criminals out there. It’s also possible that the suspects were simply part of an affiliate using REvil’s code rather than the REvil core.
However, it’s still striking that these arrests happened at all. Russia is widely accepted as home to most of the world’s most active ransomware groups, but has made conspicuously little effort to act against them in the past. In the latest arrests, the Russian Government made a point of saying it had acted after a request from the U.S.—without mentioning that it had laughed off similar requests many times.
The question is what has changed, and whether it’s as positive a development as it appears from the headlines. The optimistic view is that Russia had decided it has more to gain by cooperating with arrest requests, possibly as a show of good faith intended to gain concessions in its wider geo-political confrontation with the U.S. and others. The timing of the arrests at a moment of heightened tension, unlikely to be a coincidence, would tend to support this thesis.
A more pessimistic interpretation is that arresting suspects after months of U.S. pleading is really a show of force, a sort of look at what we can do if we want to—the geo-political equivalent of temporary pain relief. For anyone who subscribes to this view, whether merely tolerated or privately encouraged by Russian intelligence, ransomware attacks by REvil and others have always been a handy way to pressure the U.S.. It almost doesn’t matter whether this is fuelled by post-Soviet resentment or is an attempt to lever a specific concession. Ransomware is a useful ally, a new Cold War rendered in code.
A Line Crossed
The current U.S. administration has made a point of complaining loudly and repeatedly about ransomware attacks, perhaps hoping that by elevating it to a public issue they would lure the Russians into a pragmatic engagement on the issue.
At one point after the Colonial Pipeline attack, things got serious enough that President Biden even referred to the issue of ransomware as a matter of national security, a gloves-off characterization that hinted at more serious counter-measures in the future.
A parallel tactic has been to treat cybercriminals like other types of criminals, naming and sanctioning suspects even if they are able to hide in countries such as Russia. Clearly, if ransomware gangs spend 2022 as they spent 2021–going after critical U.S. infrastructure–the U.S. and its allies are unlikely to be as passive as they were in the past.
Ransomware attacks have been getting steadily worse for several years, but what happened to Colonial seems to have crossed an invisible line. It was as if politicians finally realized that these attacks are not simply about private misery—they now risk national embarrassment.
The missing viewpoint is how Russian cybercriminals interpret events. Until now, they’ve attacked U.S. and other western targets with impunity. If that era of reckless abandon is over, some of them might suspect they are entering a world with more complex rules. Russian ransomware attacks won’t stop any time soon, but some of the fraternity of entrepreneurs and programmers that makes up ransomware’s core might in the future have to vet their target list with some care—or risk becoming bargaining chips.