Mon | Jan 17, 2022 | 12:36 PM PST

The infamous Russian-based ransomware gang known as REvil took a big hit over the weekend.

Russia's Federal Security Service (FSB) announced it has identified and shut down the entire REvil criminal enterprise, conducting raids at 25 different locations.

As a result of the raids, Russian authorities seized over 426 million rubles, $600,000, and €500,000 in cash, along with cryptocurrency wallets, computers, and 20 luxury cars.

Fourteen individuals were implicated in the ransomware gang's crimes, though it is unclear how many arrests were made. However, a senior White House official did say that one of the individuals arrested was responsible for the Colonial Pipeline incident that caused gas shortages on the East Coast of the United States last year.

The FSB also said the raids came at the request of the U.S. government, after the White House passed along a list of hackers within Russia's borders that have attacked U.S. organizations.

Russia raids REvil ransomware

The timing of these arrests has spurred discussions as to what the true motives of the Russian government are.

Cybersecurity tensions between Russia and the U.S. have steadily risen over the last few years and reached a boiling point last summer, with  President Biden and Russian President Vladimir Putin meeting to discuss what can be done to ease tensions.

Putin agreed to enter into "consultations" with the U.S., but specific details of this agreement have not become public knowledge.

Could these arrests mean Russia intends to keep its promise to the U.S.?

John Bambenek, Principal Threat Hunter at Netenrich, discusses:

"Russia acting on any cybercrime report, especially ransomware, is especially rare. Unless it involves child exploitation or Chechens, cooperation with the FSB just doesn't happen.

It is doubtful that this represents a major change in Russia's stance to criminal activity within their borders (unless they target Russian citizens) and more that their diplomatic position is untenable and they needed to sacrifice a few expendables to stall more serious geopolitical pressure.

If in three months there isn't another major arrest, it's safe to assume no real change has happened with Russia's approach. Nevertheless, it's a big arrest and will have significant short-term impact to reduce ransomware."

The geopolitical pressures that Russia currently faces comes as the country's conflict with Ukraine continues to escalate.

Ukraine recently reported it has seen numerous cyberattacks on government agencies, and Russia is widely believed to be responsible for these attacks.

President Biden has stated that there would be "severe economic consequences" should Russia continue to provoke Ukraine. Does that mean the REvil arrests were politically motivated? 

Chris Morgan, Senior Cyber Threat Intelligence Analyst at Digital Shadows, shared his thoughts on the motives behind the arrests:

"The fact that the FSB targeted REvil, who have not been publicly active in conducting attacks since October 2021, is also significant; chatter on Russian cybercriminal forums identified this sentiment, suggesting that REvil were 'pawns in a big political game,' while another user suggested that Russia made the arrests 'on purpose' so that the United States would 'calm down.'

It's possible that the FSB raided REvil knowing that the group were high on the priority list for the U.S., while considering that their removal would have a small impact on the current ransomware landscape.

These arrests could also have served a secondary purpose, as a warning to other ransomware groups. REvil made international news last year in its targeting of organizations such as JBS and Kaseya, which were high profile and impactful attacks; a very public series of raids could be interpreted by some as a message to be mindful of their targeting."

There are plenty of reasons why the Russian government decided to move against REvil, a group that has collected over $200 million in ransomware payments in the last two years, according to FBI data. But it remains to be seen how this will impact the rest of the ransomware market and whether Russia truly intends to assist the U.S. in fighting cybercrime.

Follow the SecureWorld News page, or subscribe below, for updates on all things cybersecurity related.