REvil's Dismantle Represents a Rare US-Russia Collaboration



At first, cybercriminals were stealing and threatening to publish sensitive data or encrypt it until their ransom was paid. But now, these criminals are using new techniques to scurry into an organization’s network with one being a supply chain attack, much relatable to the SolarWinds attack. Unlike SolarWinds, there is a ransomware gang who were dismantled this year by Russia at the US government’s request to put an end to their attacks on large-scale firms and this group’s goal was monetary gain rather than cyberespionage.

The group solely aims at money and is the one behind the hacking of New York law firm Grubman, Shire, Meiselas & Sacks holding documents related to former US president Donald Trump.

The group’s arrest happens to imply a rare collaboration between the two nations at a time when the two are highly focused on Ukraine busy dealing with a massive cyber attack behind the shutting down of government websites. One of the individuals in the group was found to be the one behind the Colonial Pipeline incident of 2021 that revealed encrypted data called DarkSide developed by REvil.

For years, Russia has brushed aside and dismissed allegations that Russian ransomware hackers have been given safe haven in the nation to attack western targets.

Even the most optimistic specialists had given up on seeing the negotiations produce fruit after Russia's President Putin and US President Biden agreed to initiate conversations about how to battle ransomware during their Geneva Summit last summer.

The arrest of the REvil gang by Russian authorities on Russian soil is a significant achievement that few could have imagined.

REvil was one of the most prolific ransomware groups, despite being completely dismantled since September last year, and this arrest sends a strong message to Russian cyber-crime gangs: the party is over.

It's also the first time the US and Russia have worked together on a cyber-crime operation in years.

It might signal a thawing of relations, which is already being praised in the cyber-security community.


Police and the FSB (Russia’s Federal Security Service domestic intelligence service) raided 25 residences, arrested 14 persons, and seized 426 million roubles (approximately Rs 40 crore), $600,000 (about Rs 4 crore), 500,000 euros, computer equipment, and 20 luxury cars as part of a combined operation.

“The investigative measures were based on a request from the … United States,” the FSB said. “… The organized criminal association has ceased to exist and the information infrastructure used for criminal purposes was neutralized.”

The members of the organization have been charged and might face up to seven years in prison, according to the FSB.

Roman Muromsky and Andrei Bessonov were identified by a Moscow court and remanded in jail for two months. Muromsky worked as a web developer for a company called 'Motohansa', who sold motorcycle parts.

Ransomware + Evil = REvil

REvil, an amalgamation of ransomware and evil, is a ransomware-as-a-service (RAAS) operation that rose to popularity in April 2019 after the fall of GandCrab, another ransomware organization. Other names for the REvil group include Sodin and Sodinokibi and has been active in promoting underground cyber forums to attack business networks oozing with money.

Besides that it was known to steal data from its victims' machines and networks before it was encrypted, a method that’s become widely familiar today. In case victims fail or are unwilling to give in to REvil’s commands, the group REvil threatens to sell off stolen data on its website, Happy Blog.

Requirements Unmet, Get Featured on the Happy Blog

The Happy Blog displays recent REvil victims, along with a sample of the stolen data as confirmation that data has been stolen from a company. The REvil gang even offers a ‘trial’ decryption to the victim to demonstrate that their files can be encrypted.

Companies deciding how to respond face increased pressure as a countdown meter indicates when data leaks will be made public.

One real time example is that of the Kaseya VSA incident that not only had its software compromised, but was used against the IT infrastructure of its customers. The ransomware was delivered to the Kaseya VSA server platform using a malicious update payload. The REvil gang exploited a zero-day vulnerability in the Kaseya VSA server platform (CVE-2021-30116).

Huntress Labs and TrueSec security researchers discovered three zero-day vulnerabilities that might be utilized in attacks against their clients, including:

  • Authentication Bypass Vulnerability
  • Arbitrary File Upload Vulnerability
  • Code Injection Vulnerability

Why they are Ransomware-as-a service

REvil also ran as a company, selling third-party hackers hacking technology and other tools. Members of REvil would rent the ransomware to other hacker organizations in order to carry out a similar attack. They would sell ransomware as a service (RaaS). REvil would get a percentage of any ransomware payments made by the other group in exchange for employing its services and software.

How to Shield Against REvil

Backups to a secure offsite location should be made. The company should keep its security solutions up to date and make sure PCs are protected with the most recent patches against newly identified vulnerabilities. To safeguard sensitive data and accounts, it should continue to use hard-to-crack, unique passwords and enable multi-factor authentication. Wherever possible, the company should still encrypt its sensitive data. The company should continue to educate and teach its employees about the threats and strategies used by cybercriminals to infiltrate organizations electronically.