Ride the Lightning

Dark Web Chatter Suggests Ransomware Criminals Are Worried

January 25, 2022

ZDNet reported on January 21 that ransomware gang members are worried about being tracked down and arrested following Russia’s arrest of 14 members of the REvil ransomware gang. White House officials told reporters that the person behind the ransomware attack on Colonial Pipeline last year was arrested as part of those arrests.

On January 14, Russia’s Federal Security Service (FSB) announced it had detained members of the REvil ransomware gang operating from several regions of the country and dismantled the group’s operations.

According to analysis of chatter on dark web forums by cybersecurity researchers at Trustwave SpiderLabs, the recent arrests, particularly those by Russia, appear to have scared cyber criminals, some worried that they might be next.

Cybersecurity experts note that many of the major ransomware operations work out of Russia, which has previously tolerated them if they were attacking Western targets.

“This is a big change. I have no desire to go to jail,” wrote one forum member.

I suspect a lot of cybercriminals feel exactly that.

“In fact, one thing is clear, those who expect that the state would protect them will be greatly disappointed,” said another.

Understandably, there’s another worry – that administrators of the dark web communities, who would have details about their users, could be coerced into helping law enforcement after their arrest.

Some forum members and ransomware affiliates suggest moving operations to a different jurisdiction, although this is unlikely to be a realistic option for many.

“Those that are seasoned in cybercrime understand that by moving outside of Russia, they’ll be taking on an even greater risk of being arrested by international law enforcement agencies. These agencies that are keeping tabs on cyber criminals will be watching for such potential moves,” Ziv Mador, VP security research at Trustwave SpiderLabs, told ZDNet.

“Also, there is a large talent pool in Russia already, so more members and affiliates can always be recruited. Recruiting can become more difficult in other geographies. There is a level of trust that is required, and that trust diminishes the further away a prospective member is from ‘home base’,” he added.

Some of the cybercriminals blame a string of high-profile attacks against major targets in the United States for the arrests.

“It was necessary to think before climbing and encrypting multi-billion-dollar companies, schools, states. With whom did they dare to compete?” one user wrote.

“They climbed everywhere indiscriminately without understanding which country [they were attacking],” said another.

I trust their worrying is well-founded.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225, Fairfax, VA 22030
Email: Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson