This was the good news of January 2022. On January 14, the Federal Security Service of the Russian Federation (FSB) announced the liquidation of the creepy REvil gang after 14 arrests. Relief: SMEs thriving on cybercrime have been suspected of being involved in spectacular computer hacks ranging from agri-food group JBS to pharmaceutical company Pierre Fabre.
This Russian police operation also followed several attacks on the gang. In addition to the unexpected forensic hack by the FBI and US Cyber Command, several other major arrests were made in the fall. Including 22-year-old Ukrainian Yaroslav Vasinsky, suspected of participating in a giant cyber attack on the Kasya computer company and extradited to the United States in March 2022. The status of the trial against him is unknown.
Blog is active again
A year after the repressions in Moscow, we continue to hear about REvil, but not in the courts. While judicial cooperation with the United States or European countries is no more, the Russian investigation, according to the local press, has not really progressed. And the main leaders of the gang seem to have eluded the police schemer. Thus, an important administrator, probably, according to the cybersecurity company Trellix, is always active in the cybercrime forums.
In November, the gang’s name even returned to the media after a computer attack was carried out against the Australian insurance group Medibank. Link ? The release of data in the absence of a ransom payment from the victim of an extortion attempt came from a former blog of the gang.
Are we to conclude that the gang is still active? “It’s happening too fast,” says John Fokker, head of threat intelligence at cybersecurity research firm Trellix. “This reuse of the grilled brand will be completely contrary to what they have done in the past,” he adds. For example, we know with almost 100% certainty that REvil members were previously active in the GandCrab gang.
A link that the criminals hid in the late 2010s in order to get free rein in their new activity. Why then change the method when sleight of hand has justified itself? For Trellix analyst, a former Dutch cyber-cop, the resurgence of the REvil blog may simply be the work of opportunistic cybercriminals who prey on the name of a feared gang. Another red flag, according to the analyst, is the lack of significant evolution of the malware used, while the gang has been good at innovating.
This view is shared by other IT security professionals.
“REvil” as an organization is clearly dead, notes Elisey Boguslavsky. But its former members “still work for other gangs or have joined in smaller gangs,” adds the director of research for US firm AdvIntel.
The question of the dispersal of REvil’s manpower also arose very quickly, at the beginning of last year. This is evidenced by disturbing ties to the Ransom cartel. A year later, the situation has not changed. “We see similarities between REvil and LockBit,” emphasizes François Deruty, COO of French company Sekoia.io. No wonder: the disappearance of members and their spread into new criminal directions is part of the DNA of ransomware gangs.
Consequences of the war in Ukraine
The life cycle of these franchises is indeed relatively short, on the order of a few years, and then their developers are retrained to develop new malware or become affiliates of the most famous franchises. But it may not have been so easy for the former members of REvil.
“We knew that some of their developers were based in the east of Ukraine,” recalls John Fokker, in territories that became a battlefield. And before the start of the war that shuffled the cards in this case, a wind of panic swept through the cybercriminal forums after the court operations. Proof that even if the perpetrators managed to give chase for now, the series of hits on REvil did a lot of damage.
Selected for you