Fearful chatter reveals unprecedented concern about future criminal operations, though some doubt Russia's commitment to stopping ransomware. Credit: Metamorworks / Morrison1977 / Getty Images The crackdown on members of the REvil ransomware gang by agents of the Kremlin’s domestic security force January 14 is sending a wave of distress and dread through the Russian hacker underground, according to researchers at Trustwave’s SpiderLabs.“What our researchers found was a great deal of anxiety and consternation from those who participate in these Dark Web forums regarding the FSB arrests and how those actions will impact them in the future,” Trustwave noted Friday in a company blog post.“The comments mentioned a general fear of being arrested, the possibility that their homeland is no longer a safe haven, and that cooperation with the United States and Russia will be a problem for their operations going forward,” the blog added. It cited one forum member declaring: “This is a big change. I have no desire to go to jail.” Russia acting on ransomware is rareAfter nearly a week of monitoring chatter on Russian hacker forums, we noticed a huge change from the past in tone among the members of the online meeting sites, says SpiderLabs vice president of security research Ziv Mador.“In the past, cybercriminals felt very safe in Russia,” he says. “As long as they didn’t attack local targets, they felt they’d be fine. Russian cybercriminals had been arrested traveling outside the country, but this time they were arrested in Russian cities,” he continues. “That was a shocking moment for them.” “Russia acting on any cybercrime report, especially ransomware, is especially rare,” adds John Bambenek, principle threat hunter at Netenrich, an IT and digital security operations company. “Unless it involves child exploitation or Chechens, cooperation with the FSB just doesn’t happen.”Was the Russian raid “a show” for international consumption?There were some skeptics of the significance of the REvil raid in the forums monitored by SpiderLabs. One forum member raised the possibility that the FSB operation was, in fact, faked or was only “a show” for international consumption, Trustwave noted. This thought allowed them to hold out hope that the FSB’s move would not end with serious punishments for the arrestees.“It is doubtful that this represents a major change in Russia’s stance to criminal activity within its borders—unless they target Russian citizens—and more that their diplomatic position is untenable, and they needed to sacrifice a few expendables to stall more serious geopolitical pressure,” Bambenek maintains. “In three months, if there isn’t another major arrest, it’s safe to assume no real change has happened with Russia’s approach,” Bambenek said. “Nevertheless, it’s a big arrest and will have significant short-term impact to reduce ransomware.”REvil had been inactive for monthsThe fact that the FSB targeted REvil, which had not been publicly active in conducting attacks since October 2021, is also significant, adds Chris Morgan, a senior cyber threat intelligence analyst with Digital Shadows, provider of digital risk protection solutions. “It’s possible that the FSB raided REvil knowing that the group was high on the priority list for the U.S., while considering that their removal would have a small impact on the current ransomware landscape,” he says.Dirk Schrader, global vice president at New Net Technologies, a provider of IT security and compliance software, adds that only time will tell if the REvil raid will decrease ransomware attacks. “It is too early to say whether such a level of international cooperation will turn into systemic efforts to put an end to widespread ransomware attacks,” he says. “Only consistent, united efforts to deprive the attackers of any safe harbor can ensure long term results.” Related content news DocGo says hackers stole patient data in a recent cyberattack The attack compromised some healthcare data with no material or financial losses, the company said. By Shweta Sharma May 08, 2024 3 mins Data Breach Hacking news Google, Meta, Spotify accused of flouting Apple’s device fingerprinting rules Security researchers allege that several apps are collecting data from iOS devices, violating Apple’s policy on device fingerprinting. By Gyana Swain May 08, 2024 7 mins Mobile Security Application Security news analysis Kinsing crypto mining campaign targets 75 cloud-native applications Five years after being discovered, the Kinsing cryptojacking operation remains very active against organizations, employing daily probes for vulnerable applications using an ever-growing list of exploits. By Lucian Constantin May 08, 2024 6 mins Cryptocurrency Malware Application Security feature How to future-proof Windows networks: Take action now on planned phaseouts and changes Microsoft has telegraphed its desire to start shuttering some legacy Windows systems. Here’s how to get ahead of the security changes that will inevitably come to the platform. By Susan Bradley May 08, 2024 6 mins Windows Security Threat and Vulnerability Management Network Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe