IT Tips & Tricks

Published 2 February 2022

How the Takedown of REvil May Increase Threats to IT Security Worldwide

Russian Federal Security Service Arrests 14 REvil Ransomware Culprits, Seizes Hundreds of Millions in Cash

fsb

“They went in at dawn,” would be a great opening line, but we don’t know what time it was when Russia’s Federal Security Service (FSB) hit 25 apartments across several regions in Russia, including Moscow, Leningrad and St. Petersburg on 14 January. The raid occurred following a request by US authorities and the FSB reported details of the raid back to the Americans.

In the movie, White Nights, renowned Russian defector and internationally acclaimed ballet maestro, Mikhail Baryshnikov, said, “You don’t ask, you don’t get.” So, what did the US authorities ask for, what exactly was the outcome and what is its relevance to you as an IT guy?

Crime, Cash and Cars

revil-transformed

Proving once again that crime doesn’t pay, REvil members being arrested.

In a massive, coordinated operation, 14 key members of the REvil ransomware gang were detained as a result of the request by US authorities. The bust also resulted in a substantial cash haul: 426 million Russian rubles, €500,000 Euros, and $600,000 US dollars, along with computer equipment, cryptocurrency and crypto wallets. Additionally, twenty luxury vehicles — all purchased with the proceeds of international ransomware attacks — were seized.

“The investigative measures were based on a request from the … United States,” the FSB said, according to Reuters. “The information infrastructure used for criminal purposes was neutralized.”

All 14 members have been charged and face a minimum of seven years in federal prison. Those arrested had “developed malicious software and organized the theft of funds from the bank accounts of foreign citizens and cashed them out, including by purchasing expensive goods on the Internet,” the FSB stated.

“As a result of the joint actions of the FSB and the Ministry of Internal Affairs of Russia, the organized criminal group ceased to exist,” the statement continued.

The White House has acknowledged that one of the hackers detained was directly involved in the Colonial Pipeline incident.

“We understand that one of the individuals who was arrested … was responsible for the attack against Colonial Pipeline last spring,” a senior administration official reported. “We're committed to seeing those conducting ransomware attacks against Americans brought to justice.”

Other than the Colonial Pipeline attack, REvil are deemed to be responsible for the attack on multinational meatpacker, JBS Foods, and US-based international IT firm, Kaseya, amongst many others.

cash-bundles

Wondering what 426,000,000 Russian rubles look like? Now you know.

Maximum Security

YouTube player

Montage of REvil gang member arrests by the FSB and view of the haul.

So, what, if any, impact does this have on you? Well, the problem with a major takedown like this is that cybersecurity specialists and IT professionals tend to heave a sigh of relief and let their guard down somewhat. That’s a mistake — a big mistake — as someone out there will, no doubt, discover all too soon. There’s never just one rat.

While the arrests may bring a modicum of satisfaction and relief to company owners, cybersecurity specialists and IT guys around the world, it should never be viewed as a sign to relax security measures. In fact, now is a time to actually be on heightened security alert. Right now, secondary threat actors are anticipating a lowered guard and are on the hunt, boldly intent on climbing the notoriety ladder. Don’t be a rat’s next victim.

In an interview with CBS News, Ken Westin, Director of Security Strategy for Cybereason cautioned that the Russian-led raids “could be a smokescreen or red herring.”

“Taking down a ransomware leader is like cutting the head off a hydra,” Westin added. “New leaders will step in to fill the void. The relationship between ransomware gangs and Russian APT (Advanced Persistent Threat) groups are well known and the true actors behind these groups will continue to operate with impunity.”

Neal Dennis, threat intel specialist at Cyware, sees it slightly differently. “Regarding REvil, the crime group has seen a few iterations and probably their fair share of internal attrition since inception,” he said. “They've weathered digital attacks and take-downs but always seemed to bounce back. Why? Because digital actions are nothing without arrests of key members of the gang. That being said, REvil is not the first Russian cyber crew to be wiped out by Russian authorities and won't be the last. In the past, when a group gets as large and prolific as this on the global stage, Russia eventually steps in.”

14 key members of the REvil ransomware gang were detained.

All this translates to a bottom line that dictates guards in the watchtowers, cauldrons of boiling oil on the ramparts, impenetrable fortifications and an endless supply of vigilant first-rate archers, all hell-bent on keeping your data secure, while enthusiastically raising a glass to the arrest of the REvil 14.

Check, Double Check and Cross Check

So, what exactly are threat actors looking for? What are the things that are often inadvertently missed by IT teams and ruthlessly exploited by ransomware gangs? Here are five common security culprits:

key

In a ransomware attack, encryption can buy you valuable time.

  1. Hidden Backdoor Programs

Manufacturers of computers, components and software often install a bit of code designed to allow remote access, typically for tech support purposes or diagnostics or configuration reasons. These “backdoors” can be a massive security vulnerability, offering easy access to the affected computer system and any network it is connected to.

  1. Access Privileges

Many organizations fail to apply adequate account access controls, allowing virtually every user in the network to have admin-level access. Simply restrict user account access to only what a user needs to do their job. Protect your network. No more, no less.

  1. Running Scripts without Malware Checks or Virus Checks

A commonly exploited vulnerability is the use of certain web browsers that automatically run “trusted” or “safe” scripts. Here, the cybercriminals simply mimic a trusted piece of code, trick the browser and run malware without anyone knowing, until it’s too late. Your best bet is to simply disable so-called “safe” files from automatically running.

  1. Unknown Bugs in Programming Interfaces and Software

We all know that software can be unbelievably complex, and when two (or more) programs interface with one another, that complexity only increases. This is something cybercriminals literally work at on a daily basis to find: programming bugs and unanticipated code interactions that open a kind of wormhole for attackers to exploit. Be vigilant.

You don’t ask, you don’t get. — Mikhail Baryshnikov

  1. Unencrypted Network Data

A network that lacks encryption isn’t necessarily cause for a ransomware attack, but do you suppose that unencrypted data is tougher or easier for attackers to steal and use? Bear in mind that while encryption, itself, won’t stop an attack, it denies the attackers the ability to rapidly leverage your data in any meaningful way. To all intents and purposes, to them it’s just unintelligible gobbledygook until it can be decoded. The major advantage of encryption, in this scenario, is the time it buys so that affected parties can be notified and identity-theft countermeasures can be taken.

Suits, Sunglasses and Earpieces

When it comes to the overall security of your data, we’re going to trust that you’ll give it some serious thought and seek out the tech equivalent of the rugged men in dark suits, sunglasses and earpieces — your security detail — to do whatever needs to be done to get that covered, lock, stock and barrel. And if we’re talking about data migration, again you want the guys in dark suits, securely ushering your data from one location to another. While the FSB guys may be armed with Makarov’s, all you need to prevent data loss due to the inevitable broken file links, is LinkFixer Advanced.

You want the tech equivalent of the rugged men in dark suits, sunglasses and earpieces.

With LinkFixer Advanced, you can easily relocate most common file types, along with the files they link to, in batch, and have all those links maintained totally automatically.

Whether you’re dealing with hundreds of thousands of files during a data migration or just a few dozen files on a desktop, LinkFixer Advanced is your go-to. No downtime, no complaining end-users, no grumpy bosses and most importantly, no missing data due to broken links. If this sounds like a defense system you want on your side, call 727-442-1822 to speak with a friendly Service Consultant. Alternatively, visit LinkTek.com to schedule a live demo or a complimentary trial. Na Zdorovie!

Feel free to share this article on your social media: