Ransomware

Cybercriminals Take Action after Dramatic REvil Arrests

Cybercriminals Take Action after Dramatic REvil Arrests

After the renowned REvil ransomware group (also known as ‘Sodinokibi’), was arrested by the Russian and U.S. authorities, our cyber analysts take a look at the impact of this development on the cybercriminal community in the dark web.

REvil, which was considered as one of the most aggressive ransomware gangs, are responsible for high-profile attacks, including the against the JBS Foods company, one of U.S.’s largest beef producers.

Recently, Russia’s Federal Security Service (FSB) announced that the Russian authorities dismantled the ransomware gang “REvil”, in an operation they launched in collaboration with the United states. 

The announcement on the arrest came only a day after the Ukrainian government suffered a massive hacking attack on 70 of its domains. To many, this announcement was unusual as it came as tension between Russia and the U.S. are high because of the alleged involvement of Russia in the cyberattack against Ukraine’s sites. A possible explanation is that the arrest took place months before as our records indicate REvil stopped operating their website on the TOR network about 3 months ago.

Using our Cyber API, our analysts dived into the depths of the dark web to shed more light on the impact of this development on the cybercriminal community in general, and on ransomware gangs in particular. 

What did we find?

Fear of Undercover Agents and collaborators in the Cybercriminal Community

The REvil arrests have sent shock waves across the cybercriminal community, at least according to a correspondence we discovered between a member of the famous Lockbit ransomware group and a REvil member. The Lockbit member shared a screenshot of the correspondence in the famous dark web forum “XSS”, where they are both expressing their concerns that the admin of another dark web forum “RAMP”, named RED/KAJIT, may be collaborating with the Russian authorities. The Lockbit member speculates that the contact between REvil and RAMP’s admin may have been one of the triggers for the arrest of the 14 REvil members. This shows the level of concern in the cybercriminal community since many administrators have access to the contact information of forum members.

The correspondence between a member of the famous Lockbit ransomware group and a REvil member on the famous dark web forum "XSS",

The Race for Anonymity

Recent discussions on the dark web forums show that members of the cybercriminal community are anxious and fear the consequences of future Russian-U.S. collaborations. Some of the threat actors discussed operating in other countries such as China, India, Israel and Arab countries since they don’t feel safe in their countries, like the ones in the image below.

A discussion of cybercriminals who are looking to relocate to "safer" places on  dark web forums

Others shared tips on how to improve their safety methods and remain anonymous in the new and more dangerous landscape. 

Decrease in the number of new ransomware sites

Since the arrest was announced until the moment of writing these lines, we didn’t find any launch of new websites by existing or new ransomware gangs. This is an unusual finding as a new site would go live on a weekly basis, at the very least. We also discovered that the number of leaks published by existing ransomware gangs has dramatically decreased in that time.

Our cyber team will continue to watch these dark web spaces closely over the next few weeks because the slow down is only temporary, as the cybercriminal community always looks for new ways to sustain its illegal activities.

Hagar Margolin
Hagar Margolin

Cyber Analyst

Spread the News

Not subscribed to our Dark Web Pulse updates?

Feed Your Machines the Data They Need

Feed Your Machines the Data They Need

GET STARTED