Russia's "politically motivated" REvil raid could be used as leverage, experts warn
The cyber security industry says the FSB's arrests are “unlikely” to signal a change in Russia’s policy
Russia's decision to raid and arrest numerous members of the REvil ransomware group was likely “politically motivated” and could be used by the country used as “leverage”.
That's according to Chris Morgan, a senior cyber threat intelligence analyst at cyber security company Digital Shadows, who told IT Pro that Russia’s Federal Security Service (FSB) “raided REvil knowing that the group were high on the priority list for the US, while considering that their removal would have a small impact on the current ransomware landscape”.
Following the arrests of 14 suspects on Friday, Moscow’s Tverskoi Court has named the eight individuals to be charged as Roman Muromsky, Andrey Bessonov, Golovachuk M.A., Zayets A.N., Khansvyarov R.A., Korotayev D.V., Puzyrevsky D.D., and Malozemov A.V.
The arrests took place a day after the Ukrainian government’s websites were taken down by a cyber attack on Friday, which was unofficially attributed to Russian-aligned threat actors.
“It’s likely that the arrests against REvil members were politically motivated, with Russia looking to use the event as leverage; it could be debated that this may relate to sanctions against Russia recently proposed in the US, or the developing situation on Ukraine's border,” said Morgan. Russia has reportedly deployed around 10,000 troops to the border.
Cybereason chief security officer Sam Curry said that the arrests are “unlikely” to signal a change in Russia’s policy, which in the past has been accused of sponsoring cyber criminals.
“Far more likely is providing a counterpoint to other news on the world stage, to confuse or perhaps even to provide legitimacy to a crackdown on criminals who are “state ignored” (i.e. sanctioned) to keep them in line and playing by the rules domestically,” he told IT Pro.
Curry added that the arrests could lead to less ransomware attacks – for now at least.
RELATED RESOURCE
Modernise endpoint protection and leave your legacy challenges behind
The risk of keeping your legacy endpoint security tools
“The bottom line for those outside Russia is that a major player is taking a hit, which will mean a reduction in victims for the time being. As with most criminal syndicates, though, there’s always another player around to fill the void. And until Russia actually changes domestic policy with regard to International cyber crime, the rest of the world shouldn’t read too much into it,” he said.
However, Morgan believes that the arrests will have a “small impact on the current ransomware landscape”, noting that REvil hadn’t conducted any attacks since October 2021.
“The FSB stated that the arrests were made following 'an appeal' from the US authorities, while the hacking group had in the past targeted American companies including Apple and JBS.
“While the specific dialogue between the United States and Russia on this operation are unclear, this statement possibly represents a backhanded message highlighting that Russian authorities can be used to stop ransomware activity, but only under certain circumstances.”
-
UK government to prioritize data center grid access, cut down on speculative applicationsNews The new approvals system aims to put a halt to speculative connection applications
-
Thousands of Asus routers are being used to fuel a massive cyber crime spreeNews Black Lotus Labs has spotted a massive botnet of Asus routers built by malware that uses a common peer networking tool
-
The rise of teen hackers ‘makes for a good headline’, but cyber crime activities peak later in lifeNews With family responsibilities and mortgages to pay, it's not teenagers dishing out malware or carrying out cyber extortion
-
Ransomware gangs are using employee monitoring software as a springboard for cyber attacksNews Two attempted attacks aimed to exploit Net Monitor for Employees Professional and SimpleHelp
-
Ransomware gangs are sharing virtual machines to wage cyber attacks on the cheap – but it could be their undoingNews Thousands of attacker servers all had the same autogenerated Windows hostnames, according to Sophos
-
Google issues warning over ShinyHunters-branded vishing campaignsNews Related groups are stealing data through voice phishing and fake credential harvesting websites
-
The FBI has seized the RAMP hacking forum, but will the takedown stick? History tells us otherwiseNews Billing itself as the “only place ransomware allowed", RAMP catered mainly for Russian-speaking cyber criminals
-
Everything we know so far about the Nike data breachNews Hackers behind the WorldLeaks ransomware group claim to have accessed sensitive corporate data
-
There’s a dangerous new ransomware variant on the block – and cyber experts warn it’s flying under the radarNews The new DeadLock ransomware family is taking off in the wild, researchers warn
-
Hacker offering US engineering firm data online after alleged breachNews Data relating to Tampa Electric Company, Duke Energy Florida, and American Electric Power was allegedly stolen
