The biggest name in cybercrime was taken completely offline courtesy of the Russian secret service agency the FSB, in quite a surprising plot twist because Russia has over the past few years become a well-known safe haven for Cybercriminals.
It’s become a bit of an unwritten rule that as long as Russian black hats didn’t target Russian citizens or Russian companies, and instead focused their money-making attacks on the rest of the world, usually with ransomware, they were largely allowed to exist by the Russian authorities that were until a one weekend in January 2022, when the rebel ransomware group was stung by Russian authorities, all caught on camera.
REvil members allegedly had their homes raided, stacks of cash were seized as well as crypto wallets, which totalled millions of dollars. In a clip released by Russia, you see an REvil member answer a knock at the door only to be raided by police. In total, 14 members of REvil were arrested Russia say, and these guys are supposedly responsible for some of the biggest cybercrimes in the entire history of the internet.
Some of REvils largest attacks include, exfiltrating and leaking top-secret Apple schematics, hacking U.S Nuclear Weapons contractors, the well-known Colonial Pipeline hack and of course the Cassaya ransomware attack in which the hackers claimed to have ransomed a million computers. Notice how none of these hacks targets Russian’s, if they had well then they probably would have been shut down a long long time ago.
Why did Putin wait to take action
The obvious questions are why have the authorities waited until now to take action. How big of a deal really is this.
Does this takedown signal the end of Russian Cybercrime as we know it. Has Putin developed sympathies for U.S companies falling prey to Ransomware, probably not. The best answer to the question of why, probably goes beyond Cybercrime, the running theory is, that this is purely politically motivated. Russian relations with the U.S have never been amazing, and at the moment they’re really not particularly good.
The fact that Putin has the ability to disarm these Cybercrime gangs is a major card on the negotiation table with the U.S. These Cyberattacks originating from Russian gangs are no joke, take the Colonial hack for example, A Russian Cybercrime gang effectively shut down a major U.S pipeline, causing fuel shortages and a run a gas stations in some U.S states. Through what is probably wilful neglect on the part of the Russians, who knows, maybe it is top tier strategy.
The reality is that this action is largely symbolic even before this takedown, REvil themselves had become largely irrelevant, after the monumental Kasaya ransomware attack, REvil disappeared. They did spring up again a few months later but by disappearing they lost a lot of credibility in the cybercriminal underworld and their affiliates weren’t happy. Some reported that REvil refused to pay them and just ran away with their cut, things were so bad for REvil that this previously famous and respected cybercrime gang was forced to increase the share of commission they offer in a bid to even attract affiliates.
Affiliates are the ones who spread ransomware on behalf of a cybercrime gang, usually, affiliates get 70-80% of the takings but REvil had gone so far as to offer 90%. However, it turns out that in this reboot of their operations, they had restored from a backup which just so happens to have been compromised by the FBI giving the bureau complete access to their infrastructure. The FBI then shut down their operations in October making REvils return rather short-lived.
At the time of the Russian raids just days ago, REvil was no longer even operating, whilst sure the arrests of the 14 rebel members take some experienced cyber criminals off the internet it was more so done for theatre than anything else. Researchers undercover on various BlackHat forums confirmed that in the words of Russian cyber criminals, REvil members were just pawns in a big political game.
You may also enjoy reading, Red Cross hit by a Sophisticated Cyber Attack leading to Databreach
Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today
- Most Attackers Need Less Than 10 Hours to Find Weaknesses - 28 September 2022
- 5+ Things to teach your kids about Social Media - 26 September 2022
- RCE in Sophos Firewall is being exploited in the wild (CVE-2022-3236) - 26 September 2022