“I think people are worried about Russia’s ulterior motives [for conducting the REvil arrests] is perfectly reasonable, ”said John Hultquist, vice president of threat intelligence at security firm Mandiant. “This is basically a feather in the cap, and one can certainly take a cynical view of it and think it’s all a signal. But in the end, I think it’s still good news. The actors needed to know that if you harass thousands of people and steal hundreds of millions of dollars, you can not just ride out at sunset. “
This is not the first time an alleged member of REvil is facing action from law enforcement. In November, 22-year-old Ukrainian citizen Yaroslav Vasinskyi was arrested in Poland and charged with carrying out the Kaseya attack. Vasinskyi allegedly misused a Kaseya product to implement REvil code, which then spread the group’s ransomware via Kaseya’s network, according to an indictment by the Justice Department. Yevgeniy Polyanin, a 28-year-old Russian citizen, was also charged with installing REvil’s ransomware – he is accused of carrying out 3,000 ransomware attacks – and had $ 6.1 million of his assets seized.
Law enforcement agencies around the world, including in Ukraine, have increasingly worked together in their efforts to tackle ransomware actors. Since February 2021, Europol has arrested five hackers linked to REvil, saying 17 countries have been working on their investigations. These include the United States, the United Kingdom, France, Germany and Australia.
Without cooperation from Russia, however, officials have had some tough limits on which gangs they could effectively target. After hitting a zenith – or nadir – with a series of disruptive and destructive attacks in the summer of 2021, REvil went mostly dark after international law enforcement compromised its infrastructure. However, other Russian-based groups, such as the infamous DarkSide gang and its successor BlackMatter, have continued their targeting, at least so far.
“The big question, I suppose, is whether this represents a real shift in Russia’s intentions to deal with this problem, or has REvil simply been sacrificed in an attempt to ease some international pressure?” says Brett Callow, a threat analyst at antivirus company Emsisoft. “I want to suspect the latter.”
Callow and others stress, however, that while it will take time to learn more about the Russian government’s approach, seeing so many REvil operators apprehended should have some deterrent effect. And in an interconnected industry like the ransomware market, any disruption is significant.
“I agree that there must be a different motivation than ‘the US asked us nicely’, but no matter what, this will further disrupt the ransomware economy, at least in the short term,” said incident responder and former NSA hacker Jake Williams .
In the long run, several ransomware groups operating from Russia remain very active. The REvil takeover is a sign of progress, but what really matters will be the Kremlin’s appetite to pursue the other gangs as well.
More great WIRED stories