Game Over from the Russian Authorities to the REvil

January 28, 2022

Game over for REvil, the hacker group that carried out so many prominent cyber-attacks, gaining money and popularity. The collective should not cause any more problems, certainly not with the same line-up, since it was neutralised by the Russian authorities, who, according to the Federal Security Service of the Russian Federation (FSB), intervened at the request of the United States. In fact, REvil’s activities were mainly focused on a series of offensives directed against American companies and infrastructures, which created enormous difficulties for the companies affected and consequently for the numerous customers connected to each of them. After offering up to 10 million dollars to anyone who could reveal useful information to identify or locate the members of the group, the assistance to the Biden administration came from Russia, in a game of political interlocking that ensures advantages for both countries.

The Russian intelligence raid led to the arrest of 14 REvil members, adding to the three arrests made in previous weeks. The agents raided 25 homes in Moscow, St. Petersburg and other cities in the country, seizing 426 million roubles (about 4.8 million euros), 600,000 dollars, 500,000 euros, cryptocurrency wallets, as well as twenty luxury cars and a massive stockpile of computers and other electronic devices. According to the Russian authorities, the defendants are charged with money laundering and could face up to seven years in prison if convicted, while Russia’s Interfax news agency specified that those arrested with Russian citizenship will not be handed over to the United States.

How did REvil become ‘famous’?

The result of a merger between the terms ransomware and evil, and also known in the past as REvil/Sodinokibi, REvil is a cybercriminal organisation that has acted for purely financial purposes. Their weapon was ransomware of the same name to lock and encrypt the files of the affected individuals and companies, in order to get a refund in exchange for the key to decrypt the files and get the hacked documents back. To exploit the anonymity and ease of the system, they demanded money in cryptocurrencies, almost always Bitcoin, with the threat of publishing and selling the information obtained through the attack if they did not pay. In order to secure easy money, REvil has also emerged as one of the main providers of ransomware as a service (RaaS), not least because the breach-block-ransom system is the most popular in the current cybercrime market. According to a Sophos report, ransomware was the weapon used in 79% of global attacks during 2020-2021, with Conti and REvil leading the list.

REvil’s popularity has escalated over the past 24 months, with a series of offensives that have alarmed US authorities, so much so that last October, the FBI managed to breach the collective’s server backup and cut the site off from the dark web. The counter-attack was confirmed by a REvil member, known as 0_neday, who wrote on a cybercrime forum monitored by cybersecurity firm Recorded Future: “The server is compromised, they were looking for me. I’m leaving.” Before they were knocked out, however, the group hit big targets and secured a lot of money. Among the targets hit were Apple and Acer. In the first case, the attack was directed against Quanta Computer, a Taiwanese manufacturer that works for various tech companies, with a ransom demand of $50 million for not releasing design sketches of the future 14-inch and 16-inch MacBook Pro. The material was then released, as Apple decided not to comply with the demand. The same amount had been demanded of Acer in previous months for data stolen via a Microsoft Exchange server.

Less well-known but more lucrative was the offensive launched against the US subsidiary JBS Foods, a Brazilian meat giant forced to shut down its beef processing plants after having major problems with poultry. To resolve the problem and return to normal, the company paid cybercriminals the equivalent of $11 million.Then, in July, there was the attack against Kaseya, a company that develops software for managing networks, systems and IT infrastructures, which compromised the activities of more than 1,500 companies, which also thanks to the support of the FBI managed to obtain a decryption key to nullify the ransomware.

Global balance also depends on cybersecurity

The arrest of the REvil collective by the Russian authorities, who acted at the request of the United States, is one of the examples of how the global geopolitical balance is now also affected by cybersecurity. The operation by the Russian secret services has come at a time when tensions between Ukraine and Russia have skyrocketed, with the US and NATO called upon to mediate between the two contenders. In this regard, Dmitri Alperovitch, president of the Silverado Policy Accelerator, a Washington-based cybersecurity think tank, defined the attitude of the country led by Putin as “Russian ransomware diplomacy“. The reference is to cybersecurity cooperation between the two Cold War powers, although the link remains hanging by a thin thread. Because on the one hand Russia aims to avoid influence and possible sanctions from the West on the Ukrainian issue, while on the other hand the US needs Russian support to curb the various ransomware gangs proliferating in Russia and targeting American companies.