REvil Ransomware Operations Apparently Unaffected by Recent Arrests
The REvil (Sodinokibi) ransomware cooperative’s activity has not slowed down following Russia’s recent move to arrest several alleged members of the group, according to threat intelligence company ReversingLabs.
Two weeks have passed since Russia’s law enforcement agency FSB announced the takedown of the REvil group “at the request of US authorities,” but the ransomware-as-a-service (RaaS) enterprise remains as active as before.
After long being accused of allowing cybercriminals to proliferate within its borders – as long as Russian nationals or organizations are not hurt – Russia appeared set to send a different message with the arrest of 14 members of the REvil gang, even if some saw it as a political move – amidst the increasing tensions at the Ukraine border.
However, as ReversingLabs points out, the high-profile arrests of affiliates did not put a dent in REvil operations. In fact, the group is continuing operations at the very same pace as just before the arrests.
In November 2021, Europol announced the arrest of seven individuals involved in the proliferation of REvil and GandCrab ransomware attacks (the arrests were made over a period of 7 months), at which time ReversingLabs was seeing an average of 47 new REvil implants daily (326 per week).
That number was higher compared to September (43 new implants per day – 307 per week) and October (22 new daily implants – 150 per week), but much lower compared to July (87 daily – 608 per week), when the group went offline.
Following Russia’s arrests, the number of observed REvil implants increased from 24 per day (169 per week) to an average of 26 implants a day (180 per week).
“While it’s true that more time may be needed to assess the full impact of the arrests on REvil’s activity, the data so far would suggest that it is ‘business as usual’ for the ransomware gang,” ReversingLabs notes.
“Threat groups exploit regionalised regulation, and distributed organizational structure with sovereign state safehousing, all while leveraging a ‘no-rule’ borderless attack strategy. That makes it ever harder for national and international criminal policing organizations to put an end to threat groups such as REvil,” ReversingLabs senior threat researcher Andrew Yeates says.
While coordinated action against REvil infrastructure may have had short-term impact on the RaaS’s prevalence, much stronger action is needed to indeed halt the cybercrime ring’s activities, especially given the corporation-like structure of the group, where affiliates are launching attacks and receiving payments.
Thus, eliminating only affiliates doesn’t take down the core of the RaaS and allows it to continue operations. On the other hand, if only the core is eliminated, affiliates can either rebuild the enterprise or migrate to a different RaaS, and this is true for other similar cybercriminal organizations as well.