Ransom-War Part 4b: Ransomware Diplomacy
Short-lived US-Russian “cyber-détente” of 2021-2022: less an effort to cooperate against cybercrime than an effort to use cybercriminals as a bargaining chip for strategic goals
Dedicated to the memory of John J. Foarde III, a diplomat devoted to his country, a longtime observer of China and shrewd geopolitical analyst, a caring mentor, and a true gentleman.This is part 4b of Natto Thoughts’ “Ransom-War” series.1 The series argues that Russian ransomware actors are not solely financially motivated; rather, whether they like it or not, they are immersed in a geopolitical context and mindset of confrontation with the “collective West”; in at least some cases the targeting and timing of their attacks align with Russian strategic interests, suggesting some degree of state inspiration or even coordination.
Part 4b, the present section, argues that sometimes-puzzling Russian law enforcement patterns in recent years resemble less a desire to crack down on cybercriminals than an effort to use the threat of ransomware as a bargaining chip in pursuit of Russian strategic goals.
As we saw in Part 4a, on January 14 2022 the Russian Federal Security Service (FSB) announcement of arrests of REvil ransomware suspects coincided with a massive wiper operation against Ukrainian government computer systems, all taking place against the background of frantic international attempts to prevent Russia from invading Ukraine. A week later, the FSB announced the arrest of suspects of the Infraud organization, which the US had been pursuing for years. These Russian government actions likely pursued multiple goals and aimed to send messages to different audiences. To Russian criminals, the arrest likely signaled “that their best bet is to place their loyalties with the Russian state,” as researchers at the Federal Institute of Technology in Zurich phrased it.
As a message to Western governments, the January 14 events served as “Russian ransomware diplomacy,” as Dmitry Alperovitch of the Silverado Policy Accelerator assessed. “It is a signal to the United States — if you don’t enact severe sanctions against us for invasion of Ukraine, we will continue to cooperate with you on ransomware investigations.” A Russian political analyst explicitly identified the REvil takedown as a tool for geopolitical persuasion. Likely referring to Russia’s demand that Ukraine not be allowed to join the NATO alliance, he said the REvil takedown “can’t convince the Americans to accept our view on NATO or other issues, but it makes a positive contribution.” The analyst’s comment reflects an idea that was likely in the air at the time: that Russia’s treatment of cybercriminals was not simply carried out to fight cybercrime but could serve as leverage in Russian-US relations and in Russia’s attempt to subjugate Ukraine.
The January 2022 arrests mark a high point in the supposedly promising era of Russian-US anti-ransomware cooperation that followed the May 2021 Colonial Pipeline attack, symbolized by a dialogue initiative variously called the “U.S.-Kremlin Experts Group,” the “White House-Kremlin Experts Group,” or the “Kremlin-White House format.”
The present installment of the “Ransom-War” series takes a closer look at events surrounding that short-lived era of supposed cooperation and the patterns of apparent law enforcement crackdown that followed, including the subsequent fate of the REvil suspects. It argues that the Russian government has dangled the threat of Russian ransomware, and the promise of cooperation against it, as bargaining chips to promote Russia’s own strategic goals, including the subjugation of Ukraine and international acceptance of Russia’s vision of international information security. And it likely uses any arrests to pressure criminals to work for the motherland.
Supposed Era of Cooperation Against Ransomware, June 2021-Early 2022
The May 6-7 2021 attack on Colonial Pipeline appears to have come as a shock to everyone. A raucous series of events – threats, new attacks, Western actions against the threat actors, and possibly Russian government actions as well -- eventually ended in the June 16 2021 agreement between the two nations on the “White House-Kremlin Experts Group.”
As readers may remember, on May 7 2021 a ransomware attack on Colonial Pipeline, using Russia-based Darkside malware, paralyzed gasoline stations up and down the US eastern seaboard. On May 10 US President Biden said US intelligence agencies had evidence that the ransomware was in Russia but “so far” had no evidence of Russian government involvement; nevertheless, he said, "They have some responsibility to deal with this."
On May 13, Biden added that “The US will “pursue a measure to disrupt” the ability of the DarkSide ransomware group to operate; that a new Justice Department task force would seek to prosecute ransomware hackers “to the full extent of the law”; and that he would likely speak with President Putin about an international standard requiring governments to take measures against criminals operating from their territories.2
Also on May 13, several Russian underground forum administrators banned discussions of ransomware; REvil and Avaddon ransomware operators announced new rules banning attacks against healthcare, educational and government organizations; and the DarkSide operator, saying its hosting provider had cut off access to its infrastructure “at the request of [unnamed] law enforcement agencies,” announced its retirement “due to the pressure from the US.”3
This apparent pullback by Russia’s cybercrime underground did not end the turmoil, however. Attacks and threats continued.
On May 30, threat actors using the related REvil (a.k.a. Sodinokibi) malware crippled the Brazil-based JBS meat processor, affecting facilities in the United States, Canada, and Australia and creating fears of empty barbecue grills on the US Memorial Day holiday.
On June 2 US President Biden said the White House was “looking closely” at whether to retaliate against Russia.
On June 4 Putin scorned as “ridiculous” and “simply laughable” the idea that Russia’s government could be involved in attacks on “some kind of meat factory....and a pipeline too,” adding, “we do not have dealings in (не занимаемся) some kind of beef or chicken.”
On the same day, a REvil spokesman said the US had overreacted to the JBS incident and declared open season on US targets. “Since there’s no point in avoiding the US targets anymore, we have lifted all the restrictions....From now on, every entity in this country can be targeted...access to US companies will be sold for a song, and we’ll offer preferential terms to our affiliates.”
On June 7 the US Justice Department announced it had seized a large share of the Bitcoins that Colonial Pipeline had paid to the Darkside actor, part of the disruption strategy of the new DoJ anti-ransomware task force.
The ransomware issue dominated the June 16 2021 Biden-Putin summit meeting. Biden appears to have made implicit threats to Putin: as Biden told reporters afterward, "I looked at him and said: 'How would you feel if ransomware took on the pipelines from your oil fields?' He said: 'It would matter.' I pointed out to him that we have significant cyber capability. And he knows it." Underlining the threat, on June 14 NATO issued a statement reaffirming that "the impact of significant malicious cumulative cyber activities might, in certain circumstances, be considered as amounting to an armed attack."
After the summit, Putin hailed the two men’s agreement to hold cybersecurity consultations and complained that the US had been slow to provide law enforcement information that Russia requested.
Hopes, Fears, and Recriminations
Between June 2021 and early 2022 there followed an era of supposed US-Russian cooperation against cybercrime, involving limited intelligence sharing, discussions about cooperation, shutdowns of ransomware infrastructure, and some arrests, including those announced on January 14 2022.
Some analyses portray this era as a genuine and potentially promising attempt at US-Russian cooperation against ransomware, an attempt that Russia’s full-scale invasion of Ukraine nipped in the bud. One Russian article called it a “short-lived era of cyber détente,” a reference to the time of relaxation of US-Soviet tension in the 1970s.
However, any cooperation took place in an atmosphere fraught with suspicion and mutual recrimination. US officials kept expectations low, while Russian officials portrayed their own actions as reasonable, while criticizing the US side as high-handed, unforthcoming and unwilling to take Russian concerns into account. However, Russian actions cast doubt on whether they ever intended genuine law enforcement collaboration or whether they were using any cooperation for leverage over the United States in their own strategic interests.
So What Did the “White House-Kremlin Experts Group” Do?
Communication:
A handful of video conferences took place between June 2021 and early 2022, with a Foreign Ministry official saying in mid-July 2021 four rounds of “consultation” had taken place and a Russian Security Council official saying two rounds of video conferences had taken place by April 2022, along with the exchange of letters and phone calls. On the Russian side the discussions included representatives of the Security Council staff, the Foreign Ministry, Procuracy, and FSB. The US side, led by Presidential National Security Advisor Ann Neuberger, included representatives of the US Justice, State, and Homeland Security Departments and the Security Council.
Information sharing:
Russian officials said the US had supplied them with the name and IP address of the Colonial Pipeline suspect and that they had acted on this in the REvil arrests announced January 14 2022. Kremlin-friendly media later explicitly identified the suspected perpetrator of the Colonial Pipeline attack as Daniil Puzyrevskiy. A top US official acknowledged on January 14 2022 that the arrestees included “the individual responsible for the attack against Colonial Pipeline” but did not specify which one that was. Kommersant, a semi-independent Russia business news source, reported in September 2021 that the US provided intelligence on groups such as Evil Corp, TrickBot, and REvil. Russia also asked the Americans for information about the activities of REvil/Sodinokibi and informed the Americans about Russia’s actions against a criminal group that used Dyre and related TrickBot malware. The national computer incident response centers also exchanged information, Kommersant said.
Just two weeks after the June 16 2021 Biden-Putin summit, however, a REvil affiliate carried out a supply-chain attack on IT software company Kaseya, affecting hundreds of Kaseya’s customers. Biden called Putin again on July 9 2021, demanding Putin “take action” against cybercriminals in Russia and saying the U.S. reserves the right to “defend its people and its critical infrastructure.”
Soon, REvil leader “UNKN” disappeared from view and the REvil group’s infrastructure went offline. Analysts discussed whether the US government or the Russian government had taken it down. Did this mean that Russia and the US were making progress in cooperation against ransomware?
Guarded Optimism:
In the months after the June 2021 summit, some analysts expressed guarded optimism about the prospects for US-Russian law enforcement cooperation, At a July 22 2021 Atlantic Council panel, participants assessed that the US could convince Russia to address ransomware. They made points such as that “ransomware perpetrators reside outside of Putin’s inner circle and aren’t a significant source of profit for the government”; “This isn’t something [Putin] cares that much about; they just weren’t taking it seriously”; and “the Russian government’s low investment in enabling the criminals creates an opportunity for the U.S. to persuade Putin to crack down.” With the benefit of hindsight, Natto Thoughts’ “Ransom-War” Part4a assessed that the Russian government has actually valued hacker talent highly over the years, investing political capital in protecting members of the ransomware ecosystem against extradition.
Some analysts said in late 2021 that they saw a lull in activity from some prominent Russian cybercriminal actors. Other analysts, however, saw Russia-based ransomware groups “actively recruiting new cybercriminals.”
US Officials Skeptical
US officials have said little about the work of the White House-Kremlin dialogue group, aside from saying the two countries had “open, direct and candid dialogue” or “frank and professional exchanges,” that the US had provided Russia with some information on ransomware attacks originating from its territory, and that “We’ve seen some steps by the Russian government and are looking to see follow-up actions.”
In general, US officials remained skeptical about the value and genuineness of this cooperation. White House cybersecurity director Chris Inglis said attacks on American systems from Russia-based hacker groups had abated somewhat in recent months, but he thought some of the hacker groups were “lying low to wait out the storm and then return,” according to a September 2021 report by Kommersant. In October 2021 CNN reported that Jen Easterly, director of the US Cybersecurity and Infrastructure Security Agency, said “she had not seen ‘significant, material changes’ in Russian behavior since the tete-a-tete between Biden and Putin.”
Russian Complaints:
Russian officials characterize the Kremlin-White House dialogue as promising and their own actions as honest but criticize the US side as high-handed, unforthcoming and unwilling to take Russian concerns into account
Insufficient Information Sharing: Putin complained in June 2021 that the US had not responded to any of the 45 information requests Russia had sent in 2020. By September 2021, the US had responded to only nine of these, Russian Foreign Minister Sergei Lavrov said. As we shall see below in the case of the REvil suspects arrested in January 2022, Russian officials blamed the slow progress of that case on US failures to share information. In May 2022, Russian Security Council official Khramov assessed that this partly resulted from domestic American politics, as the Biden administration was receiving criticism within the US for conducting dialogue with “the Russians.”
“High-Handedness”: Furthermore, according to Khramov , the US side “demanded, as an ultimatum, that [Russia] confess to the unsubstantiated allegation that Russian authorities had controlling influence over hacker structures [Ультимативно требовали признать бездоказательный факт управляющего воздействия российской власти на хакерские структуры] and that [Russia] unilaterally commit to end their criminal activity.” Khramov claimed that the US Deputy Attorney General (DAG) had categorically demanded the immediate arrest of the suspected “main hacker,” even in the absence of evidence. The DAG had supposedly said, “Arrest him on some technicality, and you can add the rest [later].” Khramov asserted that the main goal of Washington was to “show their adversaries and allies ‘We forced the Russians to do that’.”
Reluctance to Agree to “Non-Interference”: Throughout this period, top officials from Russia’s Security Council and Foreign Ministry (hxxps://tass[.]com/world/1421913) insisted that the US should negotiate with Russia on an agreement Putin had proposed in a September 25 2020 declaration. That declaration had called for a US-Russian agreement to “prevent incidents in the information space and exchange guarantees of non-interference in each other’s internal affairs.” Russian officials interpret “interference” broadly to include any criticism of the country.
Resistance to Russian UN Proposals for Internet Governance: Russian Security Council official Khramov complained repeatedly that the Americans resist Russian proposals for an international information security document. , citing US “hegemonic ambitions,” “force” and “domination” (hxxps://tass[.]ru/politika/14657587). We shall discuss below how Russian officials tried to use the REvil case as leverage in these negotiations.
Single-Minded Focus on Ransomware: On July 22 2021 Russian Foreign Ministry Deputy Director Sergey Ryabkov, speaking to a Russian-American meeting on nuclear security, called for broadening the consultations on cybersecurity to include “strengthening strategic stability as a whole.” Strategic stability traditionally referred to nuclear arms control but could extend to cyber arms control. Kommersant deduced that Russia was concerned about the US military’s capability to conduct cyberattacks on Russian military control systems.
Independent Western Efforts: Whacking Moles
Meanwhile, the US and its allies did not limit themselves to negotiations and cautious information sharing with Russia. Western officials also undertook their own measures to counter the ransomware threat. In June 2021 the US Department of Justice (DoJ) launched an anti- ransomware task force and declared that ransomware cases should be treated with the same priority as terrorism cases. Law enforcement from various Western countries worked with Ukrainian officials to take down criminal groups and infrastructure there. The DoJ also seized cryptocurrency that victims had paid in ransom to DarkSide and to REvil actors Aleksandr Sikerin and Yaroslav Vasinskiyi. Western law enforcement also took down or infiltrated ransomware groups’ servers, all as part of a new priority of disrupting ransomware groups and making crime less profitable for them. The US State Department’s “Rewards for Justice” program also offered rewards of up to $10 million for information that would lead to the prosecution of top ransomware criminals or for proof of any sponsorship by the Russian state.
Ransomware Actors Adapt
The ransomware actors adapted by reorganizing and rebranding. Western efforts came to resemble a game of Whack-a-Mole.
After REvil leader UNKN disappeared and the REvil group’s infrastructure went offline in July 2021, REvil came back up in September with a new self-proclaimed leader nicknamed 0_neday. On October 17 2021 0_neday announced the group was ceasing operations again, saying that someone (apparently Western law enforcement) had hijacked its domains. In April 2022 a purported REvil site reappeared, but by then it was unclear who controlled it: REvil group members, other cybercriminals, or Russian or Western law enforcement.
On July 31 2021, DarkSide, which had shut down in May after the Colonial Pipeline blowback, rebranded as BlackMatter On November 3 2021 a BlackMatter representative announced the group was shutting down operations following “pressure from the authorities (part of the team is no longer available after the latest news).” Since he does not specify that the authorities were foreign, it is likely he felt pressure from Russian officials. BlackMatter apparently rebranded as the AlphV/Black Cat group, which is responsible for operations such as the crippling of militarily sensitive fuel-loading facilities and ports in Central Europe shortly before Russia’s full-scale invasion. Even in 2024 AlphV continued posting loud claims of ransomware attacks even after the U.S. Justice Department disrupted its infrastructure on December 19, 2023.
In July 2021 Mikhail Matveev (a.k.a. Wazawaka) created the RAMP forum to cater to ransomware actors ousted from other underground forums after the Colonial Pipeline blowback. However, even the established underground forum administrators never fully enforced their May 2021 ban on ransomware discussions. As Digital Shadows (now Reliaquest) wrote on August 31 2022, “the number and scale of ransomware attacks has certainly not wound down over the past year. In fact, it’s quite the opposite. For all the initial fanfare around the forum ransomware ban, life in the ransomware world has carried on with barely a dent; operators can recruit affiliates with a carefully worded job description, and affiliates can purchase initial accesses as easily as we can pop to the shops for milk.”
Discouraging Cooperation with Western Law Enforcement
At the same time, Russian government actions suggested they did not intend genuine cooperation. On September 28 2021 Russian officials arrested Ilya Sachkov, head of Russian cybersecurity firm Group-IB, on charges of treason. Convicted on the basis of evidence such as “business cards from an FBI officer and a British Embassy employee in Russia,” Sachkov eventually received a 14 year sentence. Although questions have been raised about Group-IB’s trustworthiness, Group-IB has long worked closely with Europol and other foreign governments. Analysts suggested that the FSB and SVR [Russia’s Foreign Intelligence Service] were retaliating against Sachkov. He had criticized them publicly in 2020 for indulging and rewarding people the outside world considers criminals. Sachkov had warned that their impunity harmed the reputation of Russia’s IT companies. Sachkov’s arrest likely sent a chilling message: anyone who might consider cooperating with Western law enforcement could be labeled a traitor.
Furthermore, the “treason” label has flourished in recent years. In 2019, after the poisoning of former Russian intelligence agent Sergei Skripal in the UK, Putin said “treason is the gravest crime possible and traitors must be punished.” This could be read as a warning to Russian cybercriminals and others then in Western custody, who might be considering cooperation with the prosecution in return for shortening their sentences. Treason prosecutions in Russian courts have skyrocketed after the 2022 full-scale invasion of Ukraine, snaring people such as scientists who conducted joint projects with foreign colleagues or journalists who criticized Russia’s war. A similar fate could also potentially await anyone who provides information to the United States under the US State Department’s Rewards for Justice (RFJ) program. The RFJ program offers help with relocation for those who might fear repercussions for providing information.
However, even relocation may not protect a person whom the Russian state deems a traitor. A Russian pilot who defected to Ukraine and received a new identity there, was fatally shot in Spain in February 2024 in a suspected Kremlin-directed hit.
In contrast, a person who provides testimony against a “spy” or “traitor” can hope for possible leniency from the Russian justice system. Hacker-turned-FSB Major Dmitriy Dokuchayev appears to be one of those lucky ones. Russian law enforcement arrested him in December 2016 on treason charges, along with his FSB superior Sergey Mikhaylov and Kaspersky Lab cybercrime researcher Ruslan Stoyanov. According to rumor, their supposed “treason” consisted of providing information to US officials; opinions differed on whether that information concerned the Russian hack-and-leak operations against Democrats in the 2016 election or earlier alleged crimes by Chronopay head Pavel Vrublevsky. Arguably, the “traitors” had simply been engaging in the law enforcement intelligence-sharing that was part of their job. After he cooperated against Mikhaylov and Stoyanov, Dokuchaev received a 6-year sentence in In April 2019 but was released on May 13, 2021, after serving only a third of his sentence. This raises the question of whether he was expected to perform services for the motherland in return, just as Pavel Vrublevsky himself had appeared to do. The Mikhaylov case, just like the 2021 arrest of Group IB’s Ilya Sachkov, likely serves to discourage any Russian citizen who would cooperate with foreign law enforcement.
Topsy-Turvy World:
Choronopay’s Pavel Vrublevsky himself also testified in the treason trial against FSB official Mikhaylov. He said in a 2020 interview, “There was this joke, it made the rounds even before his sentencing: How did you figure out that Mikhailov was a spy? Because he did not take bribes...” One should take Vrublevsky’s statements with a grain of salt, but if true, it illustrates the topsy-turvy mores of Russian law enforcement, where bribe-taking is the norm and a non-bribe-taker is considered a spy.
Russian Arrests as Inducement and Bargaining Chip
Russia did undertake some investigations and arrests of ransomware actors in this period, most notably the REvil arrests of January 2022. However, other Russian government motives may have been behind these actions. Russian detentions of cybercriminals did not necessarily stop them from carrying out cybercrimes. Rather, the Russian law enforcement activity can plausibly be understood as a way to frighten criminals into cooperating with the Russian government, as researchers at the Federal Institute of Technology in Zurich pointed out at the time.
As we saw in “Ransom-War” Part 2b, the 2021 and 2022 arrests made the Russian cyber-criminals feel vulnerable, likely making them more amenable to cooperating with Russian special services. In the first quarter of 2022, after the full-scale invasion of Ukraine, the number of ransomware incidents and the amount of ransoms demanded and paid dipped significantly. The Stanford Internet Project assessed that the criminals were likely too busy helping the government attack Ukraine to pursue their own lucrative attacks.
The REVIl Takedown: Incomplete
The REvil takedown appeared to be a sign of Russian-US cooperation after the Biden-Putin summit, and some news reports treated it as such. However, there may have been less to this takedown than meets the eye.
Top Hackers Unscathed:
Some of the most egregious cybercriminals did not land behind bars. Mikhail Matveev (a.k.a. Wazawaka), for example, remained at liberty, openly issued a vitriolic video on January 25 2022, and threatened to leak a zero-day exploit. Neither was Yevgeniy Igorevich Polyanin arrested. In an August 2021 indictment unsealed in November 2021, the US had charged Polyanin with allegedly using REvil malware to disable multiple government networks in the US state of Texas in 2019. Aleksandr Sikerin a.k.a. “Sheriff,” another REvil affiliate, also remained at liberty in Russia. On May 9 2022 “Sheriff” posted on an underground forum, offering to pay $50,000-$150,000 for login credentials for vpn1.colpipe.com, the website of Colonial Pipeline. “Sheriff” commented, “Love seeing these dirty ... americans scramble for supplies” [sic], reminding readers of America’s vulnerability to pipeline attacks like that of May 2021.
Some of the suspects arrested on January 14 2022 had been in the sights [поле зрения] of Russian special services since 2017, and the operational work done then helped lay the groundwork for the criminal case, an “informed source” told Russian news agency Interfax in 2022. However, the special services waited out many months of insistent US appeals and information sharing before moving against those suspects. By not arresting these suspects and allowing them to continue their lavish lifestyles, Russian law enforcement appears to have been thumbing their nose at cooperation with Western law enforcement.
Closing the Barn Door After the Horse has Left
Crime researcher Mark Galeotti, whose work we discussed in Part 4a, has discerned an intriguing phenomenon in the Kremlin’s treatment of common criminals: the Kremlin may actually hesitate to challenge crime groups that remain active and powerful. He noted in late 2023 a “series of high-profile court cases in which criminals who essentially made their names in the ‘wild 90s’ have finally been brought to book, after years in which the Kremlin seemed happy to let them be.” The belated 2023 arrests likely aimed to “demonstrate the authorities’ will and capacity to crack down on criminality, but without engaging with today’s major gangs and leaders.” One can discern a similar pattern in Russian takedowns of cybercriminals.
The REvil arrests took place several months after the ransomware operation had already closed down in October 2021 as a result of the apparently US-engineered takedown of their infrastructure. Similarly, on January 22, 2022 Russia arrested a member of the Infraud carding ring, which had already been decimated by US arrests and had announced its own retirement on January 12. On February 7, 2022 Russian police seized the websites of SkyFraud and other carding rings, which had already been losing market share in 2021, according to Group-IB.
More recently, it was only in February 2024 that Russian cybersecurity company FACCT (a Group-IB spinoff) announced that Russian police had raided the apartments of SugarLocker group members the previous month and arrested three members. The SugarLocker crime group is associated with Aleksandr Ermakov, who is believed to be part of REvil and whom UK, US and Australia sanctioned on January 23 2024 in connection with an attack on Australian health insurance company Medibank. The date of announcement of the arrest overlapped with a massive international operation against the Lockbit gang. The SugarLocker announcement “could be coincidental or could be timed specifically to show they can also do arrests,” according to Dmitry Smilianets of Recorded Future. By arresting members of groups that were past their prime, while neglecting to arrest active criminals like Matveev/Wazawaka and Polyanin, the Russian officials seemed to be putting on a show of a crackdown but without teeth.
Keeping People in Custody Gives You Control
Having people in custody allows you to put pressure on them. “Ransom-War” Part 4a mentioned Lurk group member Konstantin Kozlovsky, who kept embellishing his story, accusing more and more people of treason, as he came up for hearings on his sentence, suggesting he is amenable to saying whatever it takes to get himself out. You can also take advantage of criminals’ services while they are behind bars.
Having people in custody also prevents them from going abroad and facing arrest in other countries. That is one possibility Ukrainian cybersecurity official Natalia Tkachuk suggested in April 2022.
As of mid-2022 IT specialists in prison included: the REvil actors authorities arrested in January 2022; the Colonial Pipeline suspect; Ilya Sachkov, the head of the cybersecurity company Group-IB; Pavel Vrublevsky of Chronopay; and Dmitriy Pavlov of the Hydra underground Network, as well as former FSB official Mikhaylov and Kaspersky researcher Stoyanov. Dokuchaev was out.
REvil Suspects in Limbo Serve as Bargaining Chips
The REvil suspects arrested in January 2022 were still in custody as of July 2024. Their case bounced back and forth between civil, military and appeals courts (An appendix below includes a timeline of the REvil prosecution and a critique of a recent Russian media article detailing the case). The case was finally scheduled for oral argument on July 5, 2024, but only on narrow charges of carding a few Mexican Americans. Russian officials complained that the US was not providing enough information. As described below, the suspects served as pawns in several different gambits to pursue Russian strategic goals such as agreeing to Russia’s controversial proposals for a UN agreement on “international information security.”
Lobbying for Russian Diplomatic Goals
Top Russian officials linked the threat of REvil and other cyber threat actors with demands for the US to assent to Russian strategic goals on “non-interference” and Russia’s version of a UN agreement on international information security. These statements were timely, as a United Nations’ discussion on a Russian-sponsored proposal for a treaty on international information security began on May 30 2022. Russia and China have for years been pushing for the UN’s International Telecommunicationos Union (ITU) to exercise more control over Internet governance, rather than the current multi-stakeholder system, and for respecting countries’ “sovereignty” in regulating their domestic Internet space. Western countries have for years criticized Russia’s proposals as justifying censorship and surveillance under the guise of fighting cybercrime. Russia and the US were also already campaigning for their respective candidates in the September 29 2022 election for ITU Secretary-General . (The US candidate eventually won the election).
In a March 2022 interview, Russian Deputy Foreign Minister Oleg Syromolotov said he hoped Russian-US dialogue on cybersecurity could resume, provided that the US observe conditions Putin set in his September 2020 declaration. (hxxps://tass[.]ru/politika/14063755 (short English version here). As mentioned above, that declaration included “non-intervention” in Russian affairs. Syromolotov added that high-level cybersecurity talks had already brought tangible results such as the REvil arrest. Some analysts interpreted Syromolotov’s comment as a veiled threat from Russia to unleash the REvil actors for further attacks.
Russian Security Council official Khramov, in an April 7 2022 interview, said that when US had shared information on suspects with Russia, the US officials had arrogantly demanded that Russia immediately arrest the suspects. According to Khramov, the American negotiators “said that only in that way could they receive Washington’s ‘blessing’ for subsequent cooperation with the goal of achieving the agreements that Vladimir Putin had called for in his declaration of September 25 2020.”
Similarly, in a May 2022 speech Khramov claimed the US had unilaterally ceased information security cooperation with Russia, including on the REvil case. He claimed this showed that “the Americans were pursuing other goals, far from the achievement of global cybersecurity.” Khramov said the REvil arrest was a “logical result” of their short-lived cooperation, but that the US had failed to send evidence of harm done by the ransomware actors, so Russia could not determine proper charges. He added that the US had been blocking adoption of Russia’s proposals for a global convention on international information (hxxps://tass[.]ru/politika/14657587).
On April 14 2022, Russian cyber negotiator Andrey Krutskikh had joined the chorus of complaints that the US refuses to accept Russia’s UN proposals on international information security. (hxxps://mid[.]ru/ru/press_service/1809317/?msclkid=95f247eebc2211ec8f5f530d2df3cf1c )
Threats
In the April 2022 interview Khramov stressed the vulnerability of supposedly superior American computer systems, appearing to dangle the threat of Russian hackers breaching American ‘smart’ homes as “payback (расплата)” for US “arrogance (самонадеянность)” and for US rejection of Russian proposals on international information security. Similarly, cyber negotiator Krutskikh, blaming the US for encouraging pro-Ukrainian hacktivist attacks on Russia, warned on June 6 2022, “We do not recommend that the United States provoke Russia into retaliatory measures...there will be no winners in a direct cyber clash of states." (hxxps://mid[.]ru/ru/foreign_policy/news/1816353/).
Soon after Khramov’s April 2022 interview, an underground leak site purportedly belonging to REvil reappeared, as if to show how the supposed US failure to cooperate with Russia could allow the resurgence of cybercrime. It is unclear, however, who controls this leak site, as US law enforcement had supposedly taken over REvil infrastructure in October 2021 and Russia had seized further infrastructure in January 2022.
Similar threats appeared on May 27 2022 in Kommersant. According to the article, provocatively entitled “Russian Hackers Don’t Matter to America: Prosecution of REvil Suspects Is at a Dead End,” REvil suspects’ defense lawyers blamed the US for supposedly not turning over enough evidence on the suspects. The lawyers hinted the suspects could make a deal with the prosecutors, such as by giving up their allegedly ill-gotten gains in return for the dropping of the charges, "Besides,” Kommersant concluded, “the unique experience of the former suspects would probably be useful to Russian intelligence in the fight against the hackers from Ukraine, who have become active recently.” The Washington Post and other commentators understood this as a veiled threat of further state-inspired Russian criminal activity against the enemies of Russia.
Update August 1 2024: Russian hacker Roman Seleznev and hack-and-trade scheme participant Vladislav Klyushin were among eight Russians released as part of a giant, multi-country prisoner exchange with Russia, the fruit of over a year’s worth of negotiations. Aleksandr Vinnik and Vladimir Dunaev, two hackers in US prisons, do not appear to have been exchanged, even though their names reportedly disappeared from a database of the US Bureau of Prisons.
APPENDIX: Milestones in the Russian Prosecution of REvil Suspects
On January 14 2022, Russia’s Federal Security Service (FSB) announced it had searched 25 locations associated with 14 people suspected of participation in crippling ransomware attacks as part of the REvil ransomware group. They said they were acting on information that US law enforcement had provided.
Eight suspects were arraigned in Russian courts:
Andrey Bessonov
Mikhail M Golovachuk
Ruslan A Khansvyarov
Dmitry V Korotayev
Alexei V Malozemov
Roman Muromsky
Daniil D Puzyrevskiy [alternate spelling: Puzyrevsky]
Artyom N Zayets
"We understand that one of the individuals who was arrested today was indeed the individual responsible for the attack against Colonial Pipeline last spring,” an unnamed senior White House official told reporters.
Updates October 30:
Russian media would focus particularly on Daniil Puzyrevskiy as the supposed group leader and Colonial Pipeline suspect, but the Natto Team has seen no confirmation or denial of this by US authorities.
It appears that at least one other suspect, Aleksey Skorobogatov, was questioned and released (see below). In addition, former NSA Cybersecurity Director Rob Joyce said in an April 14 2024 interview that after Russia’s full-scale invasion of Ukraine, “those people were let outta jail.” It is unclear whether he has in mind the eight arraigned suspects or someone else.
The prosecution of the eight imprisoned suspects inched forward slowly, with Russian officials blaming the delays on US intransigence.
On February 6 2023 Kommersant reported that police had completed the investigation of the case. The suspects were being charged with 24 counts under Article 187 of the Russian Criminal Code, which deals with the “creation and sale of false credit or payment cards.” In addition, the “suspected group leader, Saint Petersburg resident Daniil Puzyrevskiy,” was also being charged under Article 273, which covers the “creation or use of computer programs for the destruction of blockage of computer information or the neutralization of computer information protection tools.”
On October 27 2023 the military court trying the REvil suspects declined to return the case to the prosecutors for further investigation, instead letting the prosecution process go forward.
On November 23 2023, Russian judicial news website RAPSI reported that the defense lawyers for the REVil suspects claimed that the defendants had nothing to do with the REvil ransomware group. The suspects claimed they did not understand the charges. They said the article under which they were charged with, Article 187 of the Russian Criminal Code, “possessing electronic means to illegally transfer money as part of an organized group,” required showing that 1) violation of a law on banking activity and 2) harming Russia or a Russian citizen. “According to the case materials, no harm was caused by the activity of the suspects, and the interests of society and of our state were not affected. In addition, it has not been established that actions of the defendants caused harm to foreign citizens or states,” said the defense lawyer. The defense lawyers, including Viktor Smilyanets, had previously argued that, without additional information from the US, the only evidence the Russian prosecution had dug up against the suspects were a few credit cards of Mexican immigrants in the US from which the suspects had allegedly taken a few dollars. The defense lawyers said the case materials did not even identify the banks that had issued those credit cards. As US-based cyber threat intelligence analyst Azim Khodzhibaev notes, whereas previously only defendant Puzyrevsky had been charged with Article 273, creating malware, now that statute was being applied to both Puzyrevskiy and Khansvyarov. The others are still being tried under Article 187.
April 11 2024: A military court heard the presentation of defense evidence. “The Military Court Refused the Challenge,” according to the title of a Kommersant report (hxxps://www.kommersant[.]ru/doc/6636183). The defense lawyers had previously claimed that the only evidence that the Russian FSB and MVD investigators had dug up against the suspects were the few credit cards of Mexican immigrants in the US from which the suspects had allegedly taken a few dollars. The defense lawyers said the case materials did not even identify the banks that had issued those credit cards. The defense lawyers asked the Russian court to question those Mexican-American victims or the banks that had issued their cards, to make sure that the cards had even been stolen; perhaps the cards had already been simply canceled. The defense lawyers also said the original expert witnesses from “United Card Services” were not properly licensed and asked for the MVD experts to be questioned in court, but the military prosecutor opposed this, saying the expert witness report had been done correctly. The judge supported the prosecutor.
July 5 2024: Oral argument was slated to begin in the REvil case in a St. Petersburg military court, according to a detailed but problematic report in Kremlin-friendly Russian periodical Izvestia.
Update August 2 2024: According to the entry for Case 1-6/2024 in the database of the Saint Petersburg Garrison Military Court, the July 5 2024 hearing was postponed because one of the defendants was out sick. On July 15, 2024, the hearing was postponed for “other reasons.” It was rescheduled for August 26 2024.
Update October 9 2024: On October 8, the semi-independent Russian business periodical Kommersant reported that debates on the case of four REvil suspects began that day. Military prosecutors asked for a sentence of between 5 and 6-1/2 years in a general-regime penal colony. For Daniil Puzyrevskiy [whom Russian media have described as the “leader” of the group and as the Colonial Pipeline suspect], the prosecutors requested 6-1/2 years and a 200,000 ruble fine. For Ruslan Khansvyarov: 5 years and a 750,000 ruble fine; for Aleksey Malozemov and Artem Zayets – a penalty of 5 years and 700,000 rubles each. All of them are accused of payments fraud, and Puzyrevskiy and Khansvyarov are also acused of illegal access to computer information (art. 272 of the Russian Criminal Code). “All of the defendants have been in custody since early 2022 and do not admit their guilt.”
On Wednesday October 2 2024 Kommersant had reported that “Last Tuesday” (i.e. October 1?) the Saint Petersburg Garrison Military Court ruled to separate out the case against four other suspects – Andrey Bessonov, Mikhail Golovachuk, Roman Muromskiy and Dmitriy Korotayev. An additional charge – that of illegal access to computer information (art. 272) – will be added to their previous charge of payment fraud. Their case will be sent to the Russian Prosecutor General with a view to the subsequent combining of the criminal cases. (As of October 9 the court database is inaccessible, likely due to a wide-ranging cyberattack on Russian courts).
Interestingly, the Kommersant article, although it said the REvil suspects have been in custody since early 2022, also implied that the arrests of the suspects took place in July 2021, just a few days after a famous telephone call where US President Joe Biden asked Russian President Vladimir Putin to stop Russian ransomware actors. It is unclear how they could have been arrested in July 2021 but been in custody only since January 2022. (As the Natto Team previously pointed out, an Izvestia article from July 2024 claimed that Russian law enforcement actions against the REvil suspects began back in April 2021, after an earlier Biden-Putin phone call, not in July 2021). For what it’s worth, the FSB officers in the video of the arrests are wearing warm jackets, suggesting the arrests more likely took place in January than in July. Russian state news service TASS agrees that all 8 suspects were arrested in January 2022.
The October 2 article cites Russian General Prosecutor Igor Krasnov as telling Russian state news service RIA Novosti that “at present the American side is sabotaging the agreement on legal cooperation, even though officially their cooperation has not stopped.” Other Russian officials said that Russian-US law enforcement cooperation did official stop after the Russian full-scale invasion of Ukraine in February 2022. These shifting messages in Russian media suggest that ransomware diplomacy continues.
Update October 29 2024: On October 25 four of the REvil suspects were sentenced in Russia. They got slightly smaller sentences than the prosecutors requested. Kommersant -- a relatively independent Russian business periodical -- keeps playing around with what dates it says the arrests occurred [hxxps://www.kommersant[.]ru/doc/7263987]. It claims that arrests of REvil members occurred in June 2021, "a few days" after a supposed Biden-Putin phone call. They may be confusing the Biden-Putin summit of June 16 2021 with a couple of phone calls the leaders had, in April and July 2021. Some REvil members may indeed have been hauled in for "prophylactic chats" in summer 2021, but the main REVil arrests were in the winter (cf the videos of the arrests, where the officials were wearing warm coats).
July 5 2024 Izvestia Report: Juicy but Problematic
On July 5 2024 Kremlin-friendly Russian periodical Izvestia published a long article on the REvil case, in which it claimed to have seen nonpublic case materials. The Izvestia report provides some fascinating detail, but it is marred by major misstatements that call into question everything the article says. (An English translation of excerpts of the Izvestia article appears here).
The misstatements:
Izvestia reported, “The suspects were arrested soon after President Joe Biden called Vladimir Putin in April 2021 [sic] and asked him to stop [REvil] activity. The reason was cyberattacks on big American companies.” It refers to a Biden phone call to Putin after the Kaseya attack, which it says took place April 9 2021, but which actually took place July 9 2021.
Izvestia also says that in "spring 2021" the FBI turned over an IP address that allowed Russian investigators to identify REvil members. However, Russian Security Council official Khramov made it clear that the FBI's turning over an IP address and name of the Colonial Pipeline suspect took place after the May 30 2021 JBS ransomware attack.
Tesla/RagnarLocker Connection? Izvestia claims to have seen materials from the REvil prosecution that mention an attempt to buy off a Tesla employee for $1 million. This must refer to the case of Egor Kriuchkov, who pled guilty in a US court in 2021. Natto Team notes that the Tesla incident likely had a link with the RagnarLocker ransomware group. If Izvestia is correct that this case appears in the REvil case materials, which may suggest a relationship between RagnarLocker and REvil. Update October 15 2021: The article specifically identifies Aleksey Skorobogatov as the person who recruited Kriuchkov to convince an acquaintance at Tesla to place ransomware in Tesla’s system. Skorobogatov is Puzyrevskiy’s high school classmate and business partner. He was questioned and released at the time of the January 2022 arrests, according to a January 2022 profile of the REvil suspects by independent Russian journalists.
Identifying Colonial Pipeline suspect: Izvestia openly claimed what had previously only been implied: that Daniil Puzyrevskiy is the main suspect the US identified in the Colonial Pipeline attack. The US does not appear to have commented on whether this is correct. The US PACER database of publicly available court documents does not appear to mention Puzyrevskiy.
Paltry charges: Izvestia acknowledges that the charging documents in the case do not mention the connection to the Tesla case. Indeed, the charging documents allege only that the suspects stole credit card information from a handful of Mexican-Americans.
Blaming the US: Izvestia said “the investigation of REvil crimes was downgraded [утратило масштаб] after February 2022 – when the special military operation started, the US Justice Ministry has ignored requests from the Russian side for help in this case.” Russian participants in the case say they need to establish that a victim suffered from the crime, and they claim the US is not giving them enough information to establish that.
Big Share of Ransom: Izvestia said Puzyrevskiy got 85% of the ransom that Colonial Pipeline paid. This aligns with the number of Bitcoins that the US Justice Department seized. This suggests Puzyrevskiy may have been an affiliate with a very generous arrangement with the people who controlled DarkSide ransomware. Most affiliate programs give the affiliates a smaller percentage of ransom payments. REvil, for example, initially offered their affiliates a 60% share of ransom money, rising to 70% after the first three operations.
In contrast, Qilin, the group that has been in the news for crippling the UK National Health System in 2024, offered up to an 85% share, cybersecurity firm Group-IB reported in 2023. Similarly, affiliates of the BlackCat (AlphV) ransomware operation – a descendant of DarkSide – have recently been earning 80 to 90 percent of ransom money paid, according to The Register, a UK-based technology news source.
Update August 23 2024: The 85% figure is actually not outlandish for DarkSide, Mandiant wrote in 2021. “Based on forum advertisements, the RaaS [ransomware-as-a-service] operators take 25% for ransom fees less than $500,000, but this decreases to 10 percent for ransom fees greater than $5 million,” according to Mandiant.
Part 1 introduces the concept of hybrid ransomware: how ransomware attacks serve both financial and political motives and may play a role in Russia's ongoing "hybrid warfare" against the West. In part 2a we look at how Russian cybercriminals are willing to act as warriors for the Russian state against its enemies, particularly the United States. Part 2b shows that Russian cybercriminals are still vulnerable to prosecution and face tension between profit-making and their duty to the Russian motherland. Part 3 argues that, since at least 2016, Russian strategists have explored the use of ransomware to pressure adversary countries. Part 4a makes the case that Russian ransomware actors are “hybrid” in another way: criminals but also valuable IT talent with a fearsome reputation, to be coopted with carrots and sticks comparable to the treatment of common criminals. Part 4b argues that sometimes-puzzling Russian law enforcement patterns in recent years resemble less a desire to crack down on cybercriminals than an effort to use the threat of ransomware as a bargaining chip in pursuit of Russian strategic goals. “Ransom-War in Real Time, Case Study 1” focuses on the Conti/Trickbot and Evil Corp ransomware groups — both of which are known to cooperate with intelligence services — focusing on their real-time mechanisms of interaction with state officials. “Ransom-War in Real Time, Case Study 2” examines two disruptive ransomware events from 2019 that show signs of possible state involvement in targeting and timing. “Ransom-War and Russian Political Culture: Trust, Corruption, and Putin's Zero-Sum Sovereignty,” draws on recent Western government revelations about EvilCorp to explore how Russian ransomware actors and the Russian government use each other against the background of Russia’s low-trust, zero-sum political context. “Ransom-War in Real Time, Final Case Study: Tumultuous 2021” puts major ransomware operations of 2021 in the context of this political culture and international tensions of that year.
Biden’s mention of an international standard probably refers to the standard that a UN working group would sign two weeks later, on May 28 2021: The UN report says “States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs [information and communications technology]” and should “respond to appropriate requests to mitigate malicious ICT activity aimed at the critical infrastructure of another State emanating from their territory, taking into account due regard for sovereignty” Russia signed the document, but the norms are non-binding, and Russia’s actions suggest it has no intention to abide by them.
It is unclear which country’s law enforcement requested the shutdown; if it was in Russia, that would indicate the Russian authorities were taking action against Darkside. DarkSide has hosted various parts of its infrastructure in various places, reportedly including Russia, possibly “Iran or unrecognized republics,” and the US. In November 2020 Darkside announced a “sustainable storage system” for stolen data: “We will specifically use servers in Iran or unrecognized republics so that you [sic] cannot block them” When this was picked up by Western media, DarkSide operators denied using Iranian IT services – leaving open the possibility that they were still using servers in unrecognized republics such as in Russian-occupied parts of Ukraine, Georgia or Moldova. DarkSide actors are known to have used (in 2019 and again beginning April 19 2021) a command and control server at the IP address 185.180.197[.]86. This IP address is co-located in the US with Netherlands-based KingServers, the hoster that also facilitated the Russian hacks of US Democratic targets in the 2016 US elections. But Metabase Q, a US-based, Latin-America-focused cybersecurity company, reported, based on analysis of a DarkSide sample used during the Colonial Pipeline attack, that DarkSide’s central server [i.e. command and control server] is “located at securebestapp20[.]com, a domain created on September 16th, 2020, which is hosted on the infrastructure of the Russian provider Eurobyte (eurobyte[.]ru)).”