In a blow for cyber villains, REvil the notorious ransomware gang that operates out of Russia, has been busted by Russian authorities. The arrest of 14 members of REvil is a deeply significant moment in cyber-crime and cyber-relations between the US and Russia.

For years, Russia has ignored and denied accusations that Russian ransomware hackers are allowed safe harbour in the country to attack western targets. The US had offered a reward of up to $10m (£7.3m) for information leading to the gang members.

Following the arrests Russia's intelligence bureau FSB said the group had "ceased to exist". The agency said it had acted after being provided with information about the REvil gang by the US. However, it does not appear that any Russian members of the gang will be extradited to the US.
  • The operation is the first time in years that the US and Russia have collaborated on a cyber-crime operation.
  • The FSB said it had seized more than 426 million roubles (£4m), including about £440,000 worth of crypto-currency.
  • It also said that more than 20 high-end cars had been seized from gang members.
Seismic shudders jolt the cyber underground

There have been signs of considerable anxiety and consternation among Eastern-European cybercriminals in the days following the REvil arrests.
  • Many cyber criminals now seem less confident about Russia being a haven for their operations and fear that cooperation between Russian and US authorities could pose major problems for them in the future.
  • A feeling of instability, fear, and paranoia is now being detected in cybercrime forums. Some have begun discussing the potential of moving operations to India, the Middle East, China and even Israel.
  • Some cyber criminals are offering advice on how to mitigate exposure to law enforcement by taking advantage of tools like the Tor browser, deleting old messages, using encryption, and not keeping stolen data on a single computer.
  • Cybercriminals are also offering each other advice on how to avoid attracting attention such as staying under the radar and unlike REvil not launching attacks on major, multibillion US organizations and targets in critical infrastructure sectors.
Why now?

The arrests come at a tense time between the US and Russia over a potential invasion of Ukraine. The FSB's move could be calculated to gain favour with the US, which has expressed deep concern over the threat posed by REvil following a series of damaging ransomware attacks.

In a sense it’s likely that this is a diplomatic move of sorts with Russia sending a signal to the US that if it doesn’t enact severe sanctions for an invasion of Ukraine, Russia will continue to cooperate on ransomware investigations. Of course this begs the question if the US does impose sanctions will REvil be resurrected in another form?

A testing ground for Russian hacks

Ironically the REvil arrests were announced as many government websites in Ukraine were defaced by hackers with an ominous message warning Ukrainians that their personal data was being uploaded to the Internet. “Be afraid and expect the worst,” the message warned.

Ukraine has long been used as the testing grounds for Russian offensive hacking capabilities. For instance, state-backed Russian hackers have been blamed for a cyberattack on Ukraine’s power grid that left 230,000 customers shivering in the dark, several years ago.