“I think being concerned about Russia’s ulterior motives [for conducting the REvil arrests] is perfectly reasonable,” says John Hultquist, vice president of threat intelligence at the security firm Mandiant. “This essentially is a feather in their cap and you could definitely take a cynical view of it and think that it’s all signaling. But I think ultimately it’s still good news. The actors needed to know that if you are harassing thousands of people and stealing hundreds of millions of dollars you can’t just ride off into the sunset.”
It isn’t the first time an alleged member of REvil has faced action from law enforcement. In November, 22-year-old Ukrainian national Yaroslav Vasinskyi was arrested in Poland and accused of conducting the Kaseya attack. Vasinskyi allegedly abused a Kaseya product to deploy REvil code that then spread the group’s ransomware via Kaseya’s networks, according to a Department of Justice indictment. Yevgeniy Polyanin, a 28-year-old Russian national, was also charged with deploying REvil’s ransomware—he’s accused of conducting 3,000 ransomware attacks—and had $6.1 million of his assets seized.
Law enforcement agencies around the world, including in Ukraine, have increasingly been working together in efforts to tackle ransomware actors. Since February 2021, Europol has arrested five hackers linked to REvil and says 17 countries have been working on its investigations. These include the US, UK, France, Germany, and Australia.
Without cooperation from Russia, though, officials have had some hard limits on which gangs they could effectively target. After hitting a zenith—or nadir—with a series of disruptive and destructive attacks in the summer of 2021, REvil mostly went dark after international law enforcement compromised its infrastructure. Other Russia-based groups, though, like the notorious DarkSide gang and its successor BlackMatter, have continued their targeting, at least for now.
“The big question, I suppose, is does this represent a real shift in Russia’s intentions to deal with this problem, or has REvil simply been sacrificed in an attempt to alleviate some international pressure?” says Brett Callow, a threat analyst at the antivirus company Emsisoft. “I would suspect the latter.”
Callow and others emphasize, though, that while it will take time to learn more about the Russian government’s approach, seeing so many REvil operators apprehended should provide some amount of deterrent effect. And in an interconnected industry like the ransomware market, every disruption is significant.
“I agree there must be a motivation other than ‘the US asked us nicely,’ but regardless, this will further disrupt the ransomware economy, at least in the short term,” says incident responder and former NSA hacker Jake Williams.
In the long term, several ransomware groups operating out of Russia remain highly active. The REvil takedown is a sign of progress, but what really matters will be the Kremlin’s appetite for pursuing those other gangs as well.
More Great WIRED Stories