Blogs & Stories

Trustwave Blog

The Trustwave Blog empowers information security professionals to achieve new heights through expert insight that addresses hot topics, trends and challenges and defines best practices.

Russia’s FSB Takes Down REvil Cyber Gang in an Unprecedented Series of Raids

Reuters reported on Friday that the Russian Federal Security Service (FSB) and local police launched a series of raids against members of the REvil/Sodinokibi ransomware gang at the request of the United States. More than a dozen arrests were made with millions in cash and goods being confiscated by authorities.

This unprecedented action from the Russian Federal Security Service aligns with the fear that we've observed while conducting cybercriminal chatter reconnaissance on the Dark Web.

Cybercriminals on the Dark Web indicated back in November 2021 that they believed there were secret negotiations on cybercrime between the Russian Federation and the United States and urged each other to prepare for potentially serious actions from Russia, according to Trustwave SpiderLabs’ research. 

The FSB's activity would apparently confirm these fears as the Russian agency stated the arrests were conducted at the behest of United States government. Although the U.S. government has not commented on this activity, the two governments did meet in June 2021 to discuss the issue of ransomware attacks.

The FSB's move is only the latest to strike REvil.

The ransomware gang has been under pressure by the Russian, Ukrainian and U.S governments since last summer when President Joe Biden specifically called out Russian President Vladimir Putin in July 2021 following the Kaseya VSA attacks – a mass-scale ransomware campaign that was attributed to REvil. In a phone call to Putin, Biden demanded that the Russian government take action against ransomware gangs operating inside Russian. 

Several days after this conversation, the REvil gang began to disappear from the Internet (before briefly reappearing and then seemingly shut down in October), and more arrests were made due to the collaboration between several law enforcement agencies internationally.

Only time will tell if REvil resources will reemerge in another form, as we've seen with other ransomware groups many times in the past.

In Friday's action, the Russian FSB and police raided 25 addresses, detaining 14 people, the FSB said, listing assets it had seized, including 426 million rubles (about $5.6 million), as well as more than $600,000 in U.S. cash, and another 500,000 euros, computer equipment and 20 luxury cars, Reuters reported.

REvil's method of operation included encrypting a target's database with ransomware along with data exfiltration. It then used the stolen data to blackmail their victim into paying the ransom. The threat being that if the organization refused to pay the ransom, the gang would make the sensitive information it had taken public.