Full Report
Community Feature - @SttyKCurated Intelligence's OSINT Ninja - Sh1ttyKids - has shared a collection of geolocation reports related to the REvil ransomware gang. On 14 January, the Russian FSB issued a press release following the takedown of the REvil ransomware gang. After the press release, the identities of several REvil members has been publicly disclosed. In the FSB's video, the home addresses of the REvil members was shown during the raids.https://twitter.com/i/events/1482283630097543169REvil's arrest on Russian soil is an unprecedented turning point in the fight against ransomware. The reaction on the Russian cybercriminal underground forums has so far been of betrayal and fear. Ransomware has gone unchecked for years. Groups like EvilCorp have publicly flaunted their wealth on social media and on the streets of Moscow. It makes it virtually impossible to believe that the FSB had no knowledge of these ransomware groups, voting instead to let them operate openly as long as they only target America.Curated Intel Community Features are sourced using our Member Content channel on Discord. If you have recently produced a noteworthy piece of writing, a project, a podcast, an infographic or other CTI content let us know!
Analysis Summary
# Threat Actor: REvil (also known as Sodinokibi)
## Attribution & Identity
The threat actor is the **REvil ransomware gang**.
Attribution is tied to **Russian soil**, as the group’s activity was subject to a takedown operation announced by the **Russian FSB** on January 14, 2022. The FSB operation resulted in the public disclosure of identities of several REvil members following raids.
## Activity Summary
The article focuses on the **takedown of the REvil ransomware gang** by the Russian FSB in January 2022. This event is described as an unprecedented turning point in the fight against ransomware. The article notes that the reaction in the Russian cybercriminal underground was characterized by **betrayal and fear** following the arrests. Prior to this, groups like REvil were reportedly able to operate openly within Russia, suggesting potential tacit approval by Russian authorities as long as their targets were external (e.g., American entities).
## Tactics, Techniques & Procedures
The provided text does not detail specific technical TTPs or MITRE ATT&CK IDs, as the focus is on the operational and geopolitical context of the arrests.
## Targeting
- Sectors: Not explicitly detailed for REvil specifically in this excerpt, but the context implies targeting was global and likely focused on high-value targets typical of major ransomware operations.
- Geography: The actors operated from **Russia**, but their targeting was implicitly external (e.g., against American entities, as suggested by the context regarding FSB tolerance).
- Victims: Specific individual victims are not mentioned in this summary excerpt.
## Tools & Infrastructure
- Malware families used: **REvil ransomware**. No specific C2 domains, IPs, or other infrastructure details are provided and defanged in this content.
## Implications
The arrest and takedown of REvil members on Russian soil by the FSB is considered a **major, unprecedented development** in global cybersecurity efforts against ransomware. It suggests a possible shift in Russian state posture concerning high-profile cybercriminal groups operating domestically, or possibly pressure targeting specific groups. The reaction from the cybercriminal underground indicates **fear and uncertainty** regarding the safety of operating within Russia.
## Mitigations
The text mentions the FSB action but **does not provide specific defense recommendations (mitigations)** for organizations against REvil or similar actors based on this intelligence.