In the wake of the takedown of the REvil/Sodinokibi ransomware gang by the Russian Federal Security Service (FSB) on January 14, Eastern-European cybercriminals are feeling the ground shake. In the days following the FSB action, Trustwave SpiderLabs researchers have analyzed a slew of Dark Web chatter and have found that this potential new world is breeding fear in that community.
What our researchers found was a great deal of anxiety and consternation from those who participate in these Dark Web forums regarding the FSB arrests and how those actions will impact them in the future. The comments mentioned a general fear of being arrested, the possibility that their homeland is no longer a safe haven, and that cooperation with the United States and Russia will be a problem for their operations going forward.
One forum member said: “This is a big change. I have no desire to go to jail.”
This unprecedented action from the Russian FSB aligns with the fear that we've observed while conducting cybercriminal chatter reconnaissance on the Dark Web.
Cybercriminals on the Dark Web back in November 2021 believed there were secret negotiations on cybercrime between the Russian Federation and the United States and urged each other to prepare for potentially serious actions from Russia.
“All who exchange in Moscow or St. Petersburg stop, the FBI in Moscow. Through the money exchangers, the hardworking ransomwares are covered (captured).”
This comment likely alludes to the forum members suspecting that some of those who help them with money exchanging or laundering may have collaborated with law enforcement or delivered information during an interrogation.
One commenter went so far as to predict that arrests would take place within two months. Given that this prediction was made in November, it turned out to be quite accurate.
Another commenter noted: ”I confidently declare - all smeared with ransom will be **** in the best traditions during the 2022 year, and the luckiest - in the next two months. But not everyone has realized this yet.”
In December, Trustwave SpiderLabs detailed extensive Dark Web conversations between these threat actors expressing concerns that law enforcement was actively on the hunt and that Russia and U.S. authorities were cooperating to combat ransomware.
Since the Russian FSB operation against the REvil group on January 14, during which the FSB and police raided 25 addresses, detaining 14 people and grabbing millions in cash and property.
Eastern European threat actors have been expressing a variety of concerns on various Dark Web forums. These worries range from no longer feeling safe in their home country -- to fears that one of the forum administrators may be working with law enforcement. Here's what one of the forum members said: “I will publish part of my personal correspondence, without his consent, since he disappeared without a trace, very likely thanks to a person under the nickname RED \ KAJIT, he is the administrator of the ramp forum, who works for law enforcement against ordinary hard workers.”
Since many administrators have access to the contact information of forum members, the concern expressed here is understandable and real. If forum members do not trust each other anymore, that will definitely make it harder for them to conduct business on these forums. This level of worry and fear expressed by Dark Web forum members is something we have not seen before.
From the conversations we’ve observed, it is clear that these people no longer believe Russia is a safe harbor for their activities. Some even went so far as to discuss the positive or negative aspects of moving their operations to India, China, the Mid-East, or even Israel.
One forum member said: “The first consequences of the arrival of the director of the CIA. ... In fact, one thing is clear, those who expect that the state would protect them will be greatly disappointed.”
Forum members swapped numerous tips for how to stay safe if, in fact, Russian law enforcement continues to crack down on cybercrime. In addition to finding a new location from which to operate, forum members offered a slew of suggestions to help stay under the radar.
These tips ranged from using Tor for keeping their anonymity to deleting old messages, or using encryption, and not keeping all their stolen goods on one computer.
“They [the data] have not been encrypted at all. All the loot on 1 computer, there is also software with trackers. I'm paranoid with my pennies because of the browser on the same machine with BTC [Bitcoin].”
“All in all, it's a terrible precedent. It is now dangerous to write anything at all, anywhere. All posts need to be cleaned, those who are connected with cybercrime. Right now, they can still raise in IRL those who have withdrawn loot from BTC to cash, if they haven’t raised it yet. And there are cameras everywhere in Moscow and St. Petersburg.”
Pointing out the large number of cameras in these cities is an important comment because some threat actors visit banks or ATMs to withdraw cash, it behooves them to be aware that they are exposing themselves to law enforcement surveillance.
Several forum members also took time to criticize REvil’s actions that led to its downfall and urged others not to emulate the group’s behavior. Forum members suggested that REvil’s biggest downfall came because of the highly publicized boasting of their accomplishments and the targeting of multi-billion-dollar corporations located in countries that had the political firepower to pressure the Russian government to take action.
One person noted REvil should have been more careful: “It was necessary to think before climbing and encrypting multi-billion-dollar companies, schools, states. With whom did they dare to compete?”
Another pointed out how REvil’s behavior impacted many others: “They climbed everywhere indiscriminately without understanding which country [they were attacking].”
One forum member raised the possibility that the FSB operation was in fact, faked or was only “a show” for international consumption. This thought allowed them to hold out hope that the FSB’s move would not end with serious punishments for the arrestees.
One possible reason for the FSB to fake or not follow through on these arrests could be that it’s just trying to placate the U.S. and avoid additional economic sanctions.
“Considering that most of the gloating people use / flood / heck something, one way or another commit illegal actions with Western material or infrastructure. Have a conscience and a modicum of empathy, folks. The fact that you were not taken does not mean that you could not be in their place. People, as I understand it, worked in foreign countries, and will get confiscation of property and potentially imprisonment from our country. If this is still not fake, then a very sad situation and an unpleasant precedent.”
The reaction observed in the forums is an indicator that these threat actors are concerned about how these arrests will affect their malicious operations in the future. Cybercriminals are worried that since Russian President Putin likely ordered the recent police operation, the normal methods some threat actors used to avoid prosecution may no longer work such as the use of corrupted officials.
There is a strong chance that the FSB’s activity has a long-term impact on cybercrime, but only if the Russian government follows through and prosecutes those arrested to the full extent of their law. Russian prisons are no walk in the park, and cybercriminals know that.
There was some contention between forum members on the possibility of being sent to prison and possible sentence length. It’s obvious from the fact that these people can cite specific legal statutes and that they take the threat of prison seriously.
One person seemed to believe the charges would not be that serious: “As I understand it, they are charged with Article 187 of the Criminal Code of the Russian Federation, and there is maximum of 7 years, i.e. it's not even a serious crime.”
While another took exception to this line of thought: “Learn the Criminal Code. This is a serious crime. The creation of an organized crime group [can get you] from 12 to 20 years [in prison]”
Another commenter noted that the best move for people in this line of work is to maintain a low profile.
“As practice shows, being a superstar in our business is a very bad idea.”
Another forum member noted it’s important to not only keep a low profile in general but also to not lead an extravagant lifestyle as this might catch the eyes of law enforcement officials: “Do not talk left and right, do not attract attention to expensive purchases.”
So, while time will tell if the fears expressed on these forums will hold weight, overall, seeing cybercriminals worried is a good sign. The fact that we’ve never seen forum members comment in this manner is significant.