“I think concerns about Russia’s ulterior motives [for conducting the REvil arrests] makes perfect sense,” said John Hultquist, vice president of threat intelligence at security firm Mandiant. “This is basically a feather on their hat and you can certainly look at it skeptically and think it’s all just a signal. But I think it’s still good news in the end. Actors need to know that if you’re harassing thousands of people and stealing hundreds of millions of dollars, you can’t go into a sunset. “
This is not the first time an alleged member of REvil has faced action from law enforcement. In November, Yaroslav Vasinskyi, 22 years old, a Ukrainian national, was arrested in Poland and accused of carrying out the attack on Kaseya. Vasinskyi allegedly abused a Kaseya product to deploy the REvil code, then spread the group’s ransomware through Kaseya’s network, according to a report. Ministry of Justice indictment. Yevgeniy Polyanin, 28, a Russian national, was also charged with deploying REvil’s ransomware – he was accused of carrying out 3,000 ransomware attacks – and had $6.1 million in assets confiscated.
Law enforcement agencies around the world, including in Ukraine, have increasingly worked together in an effort to tackle ransomware agents. As of February 2021, Europol has arrested five hackers linked to REvil and said 17 countries were conducting investigations. These include the US, UK, France, Germany and Australia.
Without cooperation from Russia, however, officials had some tough limits on which gangs they could effectively target. After culminating in — or nadir — with a series of disruptive and destructive attacks in the summer of 2021, REvil is in near darkness after international law enforcement trespasses. the infrastructure. However, other groups are based in Russia, such as infamous DarkSide gang and its successor BlackMatter, have continued their targeting, at least for now.
“I think the big question is whether this represents a real change in Russia’s intention to solve this problem or REvil is simply being sacrificed in an attempt to ease some international pressure. ?” Brett Callow, a threat analyst at anti-virus company Emsisoft. “I would doubt the latter.”
However, Callow and others stress that while it will take time to learn more about the Russian government’s approach, seeing so many REvil operators arrested would have some deterrent effect. anvil. And in an industry as interconnected as the ransomware market, any disruption is significant.
“I agree that there must be some motivation other than ‘the United States has asked us kindly’, but whatever this will continue to disrupt the ransomware economy, at least in the short term, ” Incident responder and former NSA hacker Jake Williams said.
In the long run, some ransomware groups operating outside of Russia are still very active. The REvil takedown is a sign of progress, but what really matters will be the Kremlin’s appetite to go after other gangs.
Stories with WIRED are more amazing
