When the REvil ransomware gang were rounded up in Russia by the state security service, the FSB in mid-January, it was one of the largest takedowns of cybercriminals in history. For years, REvil has rocketed through the internet, penetrating what were thought to be impenetrable systems and locking up precious data behind a ransom.
The ramifications were enormous, striking a blow at the heart of the cybercrime system – and whoever called in the location of the gang behind the enterprise stands to win big. The United States was willing to offer a $10 million reward for any information in connection with their arrest.
Alongside rounding up the criminals, the FSB said it had seized more than 426 million rubles ($5.5 million), including hundreds of thousands of dollars worth of cryptocurrencies. "The organised criminal association has ceased to exist and the information infrastructure used for criminal purposes was neutralised," the FSB said in a statement.
Criminals put on warning
The message from the FSB and the international community was clear: no criminals are impervious to punishment. That threat to the cybercriminals’ way of life has already had a massive impact on the way they operate, according to an analysis by Trustwave SpiderLabs.
“Our researchers found a great deal of anxiety and consternation from those who participate in these Dark Web forums regarding the FSB arrests and how those actions will impact them in the future,” the researchers wrote. “The comments mentioned a general fear of being arrested, the possibility that their homeland is no longer a safe haven, and that cooperation with the United States and Russia will be a problem for their operations going forward.”
When the going gets tough, it appears that those happy to wreak havoc in the cybersecurity world by launching ransomware attacks wanted to get going anywhere that didn’t involve jail. One forum member said: “This is a big change. I have no desire to go to jail.”
Action months in the making
Despite the seeming shock of the arrests when they occurred in mid-January, the reality is that the cybercriminal chatter analyzed by Trustwave SpiderLabs indicated that those involved in the criminal underworld feared that their time was coming long before then. Cybercriminals on the Dark Web back in November 2021 believed there were secret negotiations on cybercrime between the Russian Federation and the United States and urged each other to prepare for potentially serious actions from Russia, Trustwave says.
One commenter, posting on a popular dark web forum, said then: ”I confidently declare - all smeared with ransom will be shit in the best traditions during the 2022 year, and the luckiest - in the next two months. But not everyone has realized this yet.”
One of the major concerns that those remaining on the dark web forums have is that their conversations, which include claims of criminality, have been snooped on by law enforcement. Because of the high-stakes, high-reward roundup of some of the REvil gang – seen as the head of the snake – those lower down on the criminal totem pole worry that the administrators of the forums they use may already have flipped and are supporting the likes of the FBI. “If forum members do not trust each other anymore, that will definitely make it harder for them to conduct business on these forums,” say Trustwave. “This level of worry and fear expressed by Dark Web forum members is something we have not seen before.”
In order to try and keep safe, the cybercriminals have been swapping tips on how to evade police detection, including avoiding major cities to withdraw the loot they earn because of the large number of CCTV cameras in major conurbations. “There is a strong chance that the FSB’s activity has a long-term impact on cybercrime, but only if the Russian government follows through and prosecutes those arrested to the full extent of their law,” Trustwave researchers say. “Russian prisons are no walk in the park, and cybercriminals know that.”