After Russian FSB Arrests Members of REvil Ransomware Ring, Dark Web Chats Reveal Cybercriminals’ Inner Fears

The Jan. 14 crackdown on the REvil ransomware gang by the Russian Federal Security Service (FSB) has caused fear and anxiety among underground criminal networks, cybersecurity firm Trustwave has found. After analyzing dark web chatter on underground forums, Trustwave found that cybercriminals believe they may eventually be arrested and jailed and consider relocating from Russia to other countries.

Russia's domestic security services said the operation was at the request of U.S. authorities in response to a ransomware attack originating in the country.

After detaining 14 members of the REvil ransomware ring, they also seized 426 million rubles (about $5.6 million), $600,000, 500,000 euros and 20 luxury cars, the Russian Federal Security Service said.

Dark Web Chat Transcripts Confirm Anxiety Over Potential Russian FSB-U.S. Cooperation

Potential cooperation between the Russian government and the U.S. has increased anxiety in underground circles, Trustwave SpiderLabs quoted a member of an underground hacking forum as saying, adding that he was worried about serving time.

"It's a big change," he said, "and I don't want to go to jail."

According to Trustwave SpiderLabs, members of the underground forum believe their countries are no longer safe havens and fear arrest. Some have suggested moving their ransomware operations to India, China, the Middle East or Israel.

These concerns confirm that ransomware groups see Russia as a haven for their criminal activities. However, leaving Russia would only increase their chances of being arrested and extradited to the United States.

Another member warned others that the FBI is targeting ransomware groups through money changers in Moscow and St. Petersburg, "Everyone who exchanges in Moscow or St. Petersburg stops, the FBI is in Moscow. Through money changers, hard-working members of the ransomware ring will be covered (captured)."

They are concerned about money changers cooperating with law enforcement and providing information during interrogations.

One participant in the dark web chat raised suspicions of secret negotiations between the Russian Federal Security Service and the FBI to combat ransomware. Another warned that ransomware operators who rely on state protection would be alarmed.

"In fact, one thing is clear, those who expect the state to protect them will be greatly disappointed." He said.

Dark Web chat transcripts also show that members of the hacker underground are worried about the betrayal of forum administrators. They suspect one administrator of cooperating with law enforcement authorities and being involved in the arrests.

He promised to share a conversation he had with a member who "disappeared without a trace, most likely due to a man nicknamed RED \ KAJIT, who was the administrator of the ramp forum and worked for law enforcement against ordinary hard-working extortionists."

Forum administrators have access to member information and can share that information with law enforcement as part of a plea agreement or for incentives such as financial rewards.

Trustware analyzed a member's conversation that predicted arrests within two months in November 2021.

However, some believe they can avoid arrest and continue their ransomware activities. One member offered several solutions for evading law enforcement if the Russian Federal Security Service cooperates with U.S. authorities. He suggested using Tor for anonymity, storing stolen digital assets on different computers, and using encryption technology.

In addition, he advised cybercriminals to avoid unnecessary dark web chatter, adding that "it's dangerous to write anything anywhere right now."

He also warned that closed-circuit television cameras are everywhere in Moscow and St. Petersburg, which is a huge security risk for cybercriminals involved in the actual extraction of ransom money.

Other participants in the dark web chat accused the REvil ransomware group of drawing attention to itself by attacking billions of organizations in powerful countries such as the United States and bragging about it.

One member noted that "being a superstar in our industry is a very bad idea."

"Before attacking and encrypting multi-billion dollar companies, schools, states, it is necessary to consider," he said, "who do they dare to compare themselves to?"

Russian FSB's Action on REvil Ransomware Likely a Distraction from Ukraine

Trustwave questioned the Russian FSB's commitment to fighting the ransomware threat. Members of an underground forum expressed a similar view in a dark web chat that the operation was a show designed for international consumption. the REvil ransomware gang is considered a ready-made fruit and lame duck in cybercrime because of its voluntary decision to scale down its operations and its successful law enforcement actions.

The arrest of REvil may have helped the Russian Federal Security Service divert attention from the brewing crisis on the Ukrainian border and avoid additional sanctions from the United States. As a result, many Western experts remain skeptical that the arrest will ultimately lead to an indictment or open a new chapter of cooperation between the Russian FSB and international security services.