​​REvil Takedown: Temporary or Permanent?

On January 14, 2022, Russia’s Federal Security Service (FSB) announced it had arrested 14 alleged members of the REvil ransomware group. Although several affiliates were arrested globally in 2021, this marks the first time that Russia has publicly cooperated with a request to take action against ransomware operators within its borders. The actions taken against REvil come after a period of the group’s inactivity caused by an unidentified third party who gained control of its Tor onion domain in October. Despite these recent arrests, our threat intelligence experts do not expect a lasting impact on the REvil threat actors’ activities or a long-term suppression of the broader ransomware threat. In the short-term, additional ransomware groups will curtail activities and REvil will likely rebrand.

Recommendations

• Apply Zero Trust strategies like network segmentation and unique credentials for elevated and administrative accounts.
• Ensure antivirus and intrusion detection software is up to date with all patches and rule sets.
• Enable two-factor authentication for all organizational accounts to help mitigate phishing and credential stuffing attacks — especially for remote access assets.
• Regularly maintain scheduled backup routines, including off-site storage and integrity checks.
• Avoid opening unsolicited attachments and never click suspicious links.
• Log and monitor all administrative actions as much as possible. Alert on any suspicious activity.
• Review network logs for potential signs of compromise and data egress.

What Happened?

On January 14, 2022, Russia’s FSB announced that it had arrested several alleged members of the REvil ransomware group—also known as Sodinokibi—after raids covering 25 locations and 14 individuals. In the announcement, the FSB also stated that the search was conducted after an appeal by U.S. authorities.¹ Our experts have reported on more than 150 victims of REvil between January and October 2021, including large-scale attacks on JBS Foods and Kaseya. Out of the 14 people arrested, eight names were made public:

• Bessonov, Andrey
• Golovachuk, Mikhail A.
• Khansvyarov, Ruslan A.
• Korotayev, Dmitry V.
• Malozemov, Alexei V.
• Muromsky, Roman
• Puzyrevsky, D.D.
• Zayets, Artem N.

Each of the suspects has been jailed for two months and is under investigation for “Illegal Circulation of Payments,” which could result in a maximum of eight years in prison and up to one million rubles (roughly USD 13,000) in fines. Although only 14 alleged members have been arrested, FSB claims to have identified the entire REvil group. The raids followed multiple requests by the United States for the Kremlin to help shut down such groups. These latest arrests come on the heels of 2021’s worldwide crackdown on ransomware groups, including:

• Europol arrest of seven affiliates between February and November. 
• U.S. arrest of one affiliate.
• U.S. indictment of one affiliate.

What Does This Mean?

Although these arrests may deter or even eliminate the REvil brand, ZeroFox Threat Intelligence does not expect a lasting impact on the activities of the threat actors behind REvil or a long-term suppression of the broader ransomware threat. These individuals’ roles within REvil’s collective have not yet been disclosed, though it is unlikely they are core members. REvil’s malicious activity dropped in Q4 2021, likely due in part to growing retaliatory action by U.S. authorities. ZeroFox assesses that this latest disruption will likely drive core members to rebrand their operation before resuming malicious activities.

Because Russia has repeatedly ignored calls to take action against local ransomware operators, this disruption’s timing indicates ulterior political motives rather than the start of a legitimate Russian law enforcement campaign against domestic cyber threat actors. Specifically, these arrests were announced on the same day that the U.S. accused Russia of sending saboteurs into Ukraine to create a pretext for invasion, and hackers shut down dozens of Ukrainian government websites—an attack alleged by Kyiv to have originated in Russia. Russia may seek to leverage disruptive activity for diplomatic purposes, particularly amidst escalating tensions on the border with Ukraine and threats of sanctions against Russia.

Is This the End of REvil?

Although the arrests of any affiliate or operator of a ransomware group within Russia sends a message, it is unlikely that the recent efforts against REvil will be the end of the group. The arrested individuals are not believed to be the core members that operated this specific ransomware-as-a-service (RaaS). It is also not uncommon for affiliates or members of ransom groups to operate within multiple groups at once. If the remaining members do not continue operations as REvil or rebrand—as they did following operations as Gandcrab—they may continue attacks through other new or existing groups.

In September 2021, shortly after the group returned from a brief hiatus, a forum user by the name of “lo0o0o0ong” accused REvil of creating a backdoor in its ransomware. Due to REvil’s file encryption approach, the group’s operators could recover victims’ encrypted files without the assistance of their affiliates. This potentially allowed REvil to bypass the affiliate and take the full ransom payment for themselves. In later forum posts, LockBit representative “LockBitSupp” also seemingly confirmed that REvil had been scamming affiliates in this manner.

In October 2021, a member of REvil posted on underground forums that an unknown third party had compromised the private key for their Tor hidden service after the disappearance of one of their members. After this incident, the group stopped all public ransom activity. ZeroFox has not seen any activity from REvil since October 4, 2021. 

¹hXXp://www[.]fsb[.]ru/fsb/press/message/single.htm%21id%3D10439388%40fsbMessage.html