The raid and subsequent arrests of members of one of the most prolific ransomware gangs came as a surprise to many observers. Russian officials arrested members of the notorious REvil ransomware group – on the request of the US. In the current high-pressure environment of Ukraine peace talks between the US and Russia, it seems strange that Russia would follow such a request. This article tries to make sense of the arrests.
Summary:
- On January 14th, news broke that Russian officials had arrested members of the REvil cyber criminal gang. Russian authorities even published a video of the raid
- Surprisingly, the news came from the FSB, Russia’s principal security agency. Before we theorise about why Russia followed a request from the US to arrest the members, let’s look at the REvil gang itself
- REvil is – or better was – a ransomware group that launched serious cyberattacks on companies
- The name of REvil has appeared frequently as one of the most significant players in the ransomware chaos over the last years (e.g. related to the attacks on Travelex, JBS Meat, and Kaseya)
- Strangely, the group’s activities dried up in summer 2021, and no one has heard back from them. Until now
- This leads us to the puzzling arrests. Usually, Russia and the US are fierce opponents. So why did the Russian FSB conduct the arrest, based on a request from the US?
- One reason could be to provide concessions to the US, or perhaps a semblance of cooperation
- REvil could have become a scapegoat, or “pawns in a political game”
- Shutting down REvil could have also been a calculated move by Russian authorities. Knowing that REvil had already been inactive for months, their removal would have a small impact on the ransomware landscape
- Another possible, more speculative reason is that Russia could coerce REvil members to continue their operations not as a criminal gang, but more directly for the Russian government.
It seems as if the lavish lifestyle of Lamborghinis, baby lions, and stacks of cash of Russian hackers is now more in jeopardy than ever.
Why does this matter for businesses?
- Many companies only look at adversaries without having identified the wider geopolitical environment
- Geopolitical shifts may lead to heightened cyber risk for individual organisations. For example, the current geopolitical tensions between Russia and the Ukraine have cyber-risk implications for businesses that have operations in Ukraine
- Knowing who the adversaries and their motivations are may help during ransomware negotiations.
