Written by Mikel Pearce, Director of Business Development Canada & UK at CyberClan
Many of those reading this will recall the announcement from the FSB (Russia’s main security service) that it had “shut down” the ransomware (and “ransomware as a service” or RaaS) gang REvil, by searching and detaining 14 alleged members of the organization (see a report on this in the New York Times).
At the time the arrests were announced, in January of 2022, Russia alleged that it had made the arrests at the behest of the US government.
The arrests occurred shortly before Russia’s invasion of Ukraine. Suffice it to say there has not been much cooperation between Russia and the US government since that occurred.
While Russian officials initially claimed that the group had been “wiped out” by the arrests, there are now multiple reports (see ‘REvil Ransomware Attacks Resume, But Operators are Unknown’ and ‘REvil ransomware returns: New malware sample confirms gang is back’) that REvil is back up and running, and has been since late April of this year.
While there has been some speculation that the new REvil website and some new attacks that used its software were “copycats”, more recent information (reported on in the links above) appears to demonstrate that at least some of the original REvil members are behind the new website and attacks.
This raises several questions to which answers are not currently (and may never be) available:
1. Who has resurrected REvil, and what position did that person hold in the organization before the arrests?
2. Has Moscow released some or all of those who were arrested, clandestinely or otherwise?
3. Is REvil operating as an accomplice of the FSB, in some or all of its ransom activities?
4. Is REvil the thin edge of the wedge in terms of Russian threat actors coming back “on-stream”?
With regard to this last question, at least one other Russian RaaS gang, Conti, appears to be back up and running. On May 8, the government of Costa Rica declared a national emergency, apparently as a result of a series of ransomware attacks orchestrated by Conti.
With the re-emergence of both Conti and REvil as threats, it appears that the recent downturn in threat actor activity that has been observed by many in the cyber insurance market may be short-lived. Stay tuned. If there is one thing that is constant in the cyber world, it is change.
To find out more about what we are seeing in the industry, download your FREE copy of our 2022 Q1 Ransomware report, for up-to-date findings, improved turnaround times, most active variants as well as insights into the spread of known variants observed during this quarter.