Russia Arrests members of “REvil” hacking group at U.S. request – FSB
In Russia, the cities of Moscow, St. Petersburg, Moscow, Leningrad, and Lipetsk, the Russian Federation’s Federal Security Service, in collaboration with the Ministry of Internal Affairs’ Investigation Department, put an end to the illegal activities of members of an organized criminal community popularly known for working for “Revil”.
The search activities were based on an appeal from competent US authorities, who reported on the criminal community’s leader and his involvement in encroaching on foreign high-tech companies’ information resources by introducing malicious software, encrypting information, and extorting money for its decryption. However, many observers believe the action is part of a larger effort to defuse tensions over Russian President Vladimir Putin’s decision to station 100,000 troops near the country’s Ukrainian border.
The Russian Federal Security Service (FSB) has identified the whole structure of the REvil criminal community and its members’ involvement in the unlawful circulation of payment instruments, as well as documenting illegal operations.
These individuals constructed malicious software and orchestrated the theft of monies from the bank accounts of foreign nationals and their cashing out, including by purchasing expensive products on the Internet, in order to carry out the illegal objective.
Funds were seized at 25 addresses at the residences of 14 members of the organized criminal community as a result of a complex of coordinated investigative and operational search activities: over 426 million rubles, including in cryptocurrency, 600 thousand US dollars, 500 thousand euros, as well as computer equipment, crypto wallets used to commit crimes, and 20 premium cars purchased with money obtained from crime.
Part 2 of Art. 187, “Illegal circulation of means of money,” was used to charge the jailed members of the OPS, as per the Criminal Code of Russia.
The FSB did not release the names of any of the people arrested, despite a report from the Russian news agency TASS naming two defendants: Roman Gennadyevich Muromsky and Andrey Sergeevich Bessonov. A Russian news outlet, RIA Novosti, released video footage from some of the raids: https://tass.ru/proisshestviya/13431845
“The court received a petition from the investigation to select a measure of restraint in the form of detention for up to two months in relation to Muromsky Roman Gennadyevich, suspected of committing a crime under Part 2 of Article 187 of the Criminal Code of the Russian Federation (“Illegal circulation of means of payment”)”, – as stated by interlocutor of the agency.
The organized criminal community ceased to exist as a consequence of the joint activities of the FSB and the Russian Ministry of Internal Affairs, and the information infrastructure used for illegal goals was neutralized.
The operation’s outcomes were relayed to representatives of the relevant US authorities.
http://www.fsb.ru/fsb/press/message/single.htm%21id%3D10439388%40fsbMessage.html
Resident Revil
Global money exchange Travelex, IT services business Kaseya, and JBS, one of the world’s largest beef suppliers, are among the confirmed victims of REvil (also known as ‘Sodinokibi’).
The infrastructure of REvil was breached and disrupted by US authorities in October 2021.
The latest law enforcement action, which might be much more damaging, comes after two men were charged in November 2021 with using REvil ransomware in cyber-attacks against Kaseya and others.
This action entails the detention of designated (different) suspects in Poland and Romania.
‘Constant pressure’
Although ransomware remains a major menace, REvil has been mainly idle since last October, long before the most recent arrests.
Despite this, threat intelligence professionals questioned by The Daily Swig stated the threat might resurface under a different garb, making confident pronouncements that the risk has been eliminated prematurely at best.
“After persistent law enforcement pressure, REvil dropped off the radar in October. The infrastructure of the group has remained idle since then,” said Group-IB.
“However, as we’ve seen in the past with various ransomware groups, shutdowns don’t always signify the end of destructive activity.” There are a lot of RaaS [Ransomware-as-a-Service] programs out there right now, with Group-IB researchers identifying at least 21 new affiliate programmes between H2 2020 and H1 2021 in their latest Hi-Tech Crime Trends report.”
“It means that ransomware affiliates can jump from one RaaS to another,” Group-IB explained. Furthermore, ransomware groups frequently relaunch their activities under new aliases.
“With DoppelPaymer and Avaddon, we’ve seen such rebranding. We also identified the connections between DarkSide and BlackMatter, its ostensible replacement, in August.”
The arrests of REvil in Russia have been dubbed as “ransomware diplomacy” by Dmitri Alperovitch, co-founder of CrowdStrike and former chief technical officer.
On Twitter, Alperovitch commented, “This is Russian ransomware diplomacy.” “It’s a message to the US: if you don’t impose heavy penalties against us for invading Ukraine, we’ll keep working with you on ransomware investigations.”