REvil convictions unlikely to curb Russian cybercrime
In a rare action against cybercrime, a court in Russia sentenced four individuals tied to the Revil ransomware gang for money laundering and malware distribution charges.
A Russia court sentenced four members of the infamous REvil ransomware group, but infosec experts agree the crackdown won't dissuade cybercriminals from continuing to operate out of Russia.
REvil emerged in 2019 as a ransomware-as-a-service group but was disrupted by the Russian Federal Security Service (FSB) in 2022 following arrests and cash confiscations in the millions. Last week, Russian news outlet Kommersant reported that Artem Zayets, Aleksey Malozemov, Daniil Puzyrevsky and Ruslan Khansvyarov were sentenced in a Russian court for money laundering and hacking charges as members of REvil.
Zayets, Malozemov, Puzyrevsky and Khansvyarov were initially arrested and have been detained since 2022. Kommersant added that the investigation began after U.S. law enforcement agencies alerted Russia to REvil's unnamed leader and his involvement in attacks against victim organizations in "high-tech companies."
Initially, Russian authorities arrested 14 individuals in the crackdown on REvil but only eight were brought to trial. Of the eight, four alleged REvil members were all found guilty of illegal circulation of means and payment, while Puzyrevsky and Khansvyarov were also charged for using and distributing malware. Sentences ranged from four and a half to six years.
REvil is known for high-profile attacks against critical infrastructure organizations. For example, in 2021 REvil actors hit Colorado-based JBS Foods, and the meat processing company subsequently paid an $11 million ransom demand. REvil also claimed responsibility for a disruptive attack against software company Kaseya in 2021 that affected 1,500 downstream customers. However, Kaseya did not give into ransom demands.
No long-lasting effects
REvil was seemingly dismantled in 2022 following two major law enforcement operations. The first was a multi-government operation that knocked REvil's infrastructure offline in 2021 and the second was the FSB action in 2022, which Russia announced convictions for only last week. While the arrests and subsequent sentencing are a positive, infosec experts agree it won't deter cybercriminal activity in Russia, which is a hot spot for ransomware gangs.
Steve Stone, senior vice president of threat intelligence and managed hunting at SentinelOne, referred to the original arrests the FSB made in 2022 as "rare." He told TechTarget Editorial that while the sentencing of the four individuals is not surprising since they stemmed from FSB efforts, the initial arrests were.
Stone added that due to Russian government corruption, as well as ties to criminal groups and power dynamics, it's difficult to determine the true causes of the arrests or government actions. He said there could be a wide range of motivations beyond Russia cracking down on cybercrime.
"We asses this is unlikely to demonstrably change the Russian cybercrime ecosystem. First, this is not the first arrest through prosecution of cybercriminals. While it is rare, it's not unheard of," Stone said. "Second, Russia still almost undoubtedly has not changed their overall approach to cybercrime and how it functions within Russia. We have no indication of large-scale changes to the criminal ecosystem as well. Third, there have not been other arrests of Russian cybercriminals in the almost two years since this original effort."
Chester Wisniewski, global field CTO at Sophos, agreed that while the sentencing was slightly surprising, he doesn't believe it will have a meaningful effect on the bigger picture. He highlighted how the original arrests occurred in January 2022, more than one month before the invasion of Ukraine when Russia was still occasionally attempting to placate the U.S.
"Any of that good will has long ago been squandered and there remains a lot of questions as to why this group was arrested and why only four of the eight were ultimately charged and sentenced," Wisniewski said in an email to TechTarget Editorial. "Russia largest works on the basis of patronage, and it would appear the REvil group either did not have the appropriate 'friends in high places' or broke the golden rule of committing crimes against Russian victims. Either way, happy to see them serving time, but it not likely to deter others from continuing their digital crusade against Mother Russia's enemies."
Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.
