What can we expect from the REvil arrests?

It’s a good thing that malicious threat actors are being arrested, but this single event likely won’t result in much change.

Jan 24, 2022

It’s clear that the recent Russian law enforcement actions against REvil are a watershed moment in the fight against ransomware gangs. It’s a good thing that malicious threat actors are paying some sort of cost for their crimes, and it’s a positive step to see Russia take action against a pretty prominent group, given that the country hasn’t been inclined to do the same against other groups operating inside their borders. Yet, while the situation is still unfolding and there is lots more to be learned, we're definitely skeptical about the actual ramifications.

What we've learned

If the FSB did in fact arrest the “leader” of REvil as the press release states, it means REvil as the infosec community knows it is very much crippled, if not dead. Yet, there was little action from the group for months even before the arrests. REvil hasn’t been active since October 2021, and its own representatives on the cybercrime underground said it was ceasing operations.

The geopolitical ramifications have also come into play, given the current tension between Ukraine and Russia. We can’t dismiss the possibility that given the current situation, the Russian government sees an opening via ransomware arrests to make some effort (or semblance of effort) at diplomatic peace with the United States and the international community.

Moving forward

It’s likely that in the short term there will be increased operational security implemented by Ransomware-as-a-Service (RaaS) operators due to the attention from law enforcement agencies (LEAs) on a global scale. This increase in discretion will be unlikely to reduce the volume or cadence of malicious activity being carried out. Instead, we will likely see other groups seek to fill the void, as has been demonstrated in the past when prolific ransomware groups have been impacted by police activity or rule changes on underground forums. For example, when REvil terminated their operations in 2021, numerous other ransomware groups filled the void.

Even with REvil ceasing operations in October, ransomware incidents recorded by Intel 471 increased by 17.9 percent throughout the fourth quarter of 2021. As such, it’s unlikely that the REvil arrests will have any significant impact on the underground criminal economy or RaaS operations, with ransomware attacks likely to continue to increase against a wide variety of industries and sectors.

Nevertheless, it is possible that the seizure of large amounts of cryptocurrency during these raids will cause some fractures between malicious threat operators due to the loss of revenue. This is unlikely to be sustained as any impacted operators will likely try to replace their losses through joining other prominent RaaS groups or affiliates.

This single event likely won’t result in much change in the ransomware-as-a-service ecosystem. We don’t expect it will deter cybercriminals until a pattern of similar law enforcement actions emerge on the heels of this one – demonstrating the Russian government is seriously committed to cracking down on cybercriminal activity within their borders.