Law enforcement action typically does little to deter cybercriminal activity. But last week's arrests in Russia of several members of the notorious REvil ransomware group, as well as the dismantling of its criminal infrastructure, appear to have finally grabbed the attention of at least some threat actors.
Researchers from Trustwave who regularly track chatter on underground forums this week observed signs of considerable anxiety and consternation among Eastern-European cybercriminals in the days following the REvil arrests. Many threat actors apparently seem less confident about Russia being a haven for their operations and fear that cooperation between Russian and US authorities could pose major problems for them in the future.
"We’ve observed that threat actors [have been] shaken out of previously feeling invulnerable to now feeling some instability, fear, and paranoia," says Karl Sigler, senior security research manager at Trustwave SpiderLabs. How long that sentiment will prevail depends entirely on how punitive the follow-up legal actions will be against those who have been arrested, he says.
Last Friday, Russia's Federal Security Service (FSB) announced it had arrested 14 members of the REvil gang and raided 25 locations associated with the individuals, in actions aimed at disrupting REvil's prodigious ransomware operations. The raids resulted in the FSB seizing the equivalent of $6.8 million in various currencies, as well as 20 luxury vehicles, cryptocurrency wallets, and computer equipment that gang members used as part of REvil operations.
Many security experts viewed the arrests with some skepticism because of its timing right in the middle of tense talks between the US and Russia over a potential invasion of Ukraine by the latter. The skeptics viewed the FSB's move as calculated to curry favor with the US, which had expressed deep concern over the threat posed by REvil following damaging ransomware attacks on JBS Foods and Kaseya last May and June by groups using the malware.
Despite the suspect motives, the FSB's action was significant and marked the first time that Russian authorities had acted against a major cyberthreat group operating from within its borders — and also at the behest of the US. In the past Russia had refused to even acknowledge that threat actors might be operating freely within the country because they perceived it to be a safe harbor for them.
Trustwave found that the FSB's surprise arrests last week have shaken that sense of complacency considerably. The security vendor observed threat actors on underground forums expressing concern over being arrested and Russia no longer being a safe place for their operations. Some even have begun discussing the potential of moving operations to India, the Middle East, China, and even Israel.
"In fact, one thing is clear, those who expect that the state would protect them will be greatly disappointed," Trustwave quoted one forum member as saying.
Fear, Uncertainty and Doubt
Trustwave found that the arrests have also fueled some paranoia within the Eastern European cybercrime community about a potential mole within their ranks. Apparently, there is some concern about one forum administrator working secretly with law enforcement. Suspicions about the individual's double role prompted one forum member to announce plans to publish part of his personal correspondence with the administrator, presumably to link the individual to the forum's illegal activities.
Others have begun offering advice on how to mitigate exposure to law enforcement by taking advantage of mechanisms like Tor, deleting old messages, using encryption, and not keeping all stolen data and other artifacts on a single computer. Trustwave observed one forum member saying: "It is now dangerous to write anything at all, anywhere. All posts need to be cleaned, those who are connected with cybercrime."
One of the tips that cybercriminals are offering each other is to avoid attracting attention like REvil did with its attacks on major, multibillion US organizations and targets in critical infrastructure sectors, such as JBS Foods. Trustwave observed several forum members suggesting that REvil's downfall resulted from its much-publicized boasting and intemperate targeting of organizations located in countries that had the muscle to pressure the Russian government to act.
Sigler says the volume of chatter on the underground forums is higher than it has observed before.
"The level of fear of being arrested and the discussion around the possibility that their homeland is no longer a safe haven are unique," he says. "There is serious concern that cooperation between the United States and Russia will be a problem for their operations going forward.”