Russia's decision to raid and arrest numerous members of the REvil ransomware group was likely “politically motivated” and could be used by the country used as “leverage”.
That's according to Chris Morgan, a senior cyber threat intelligence analyst at cyber security company Digital Shadows, who told IT Pro that Russia’s Federal Security Service (FSB) “raided REvil knowing that the group were high on the priority list for the US, while considering that their removal would have a small impact on the current ransomware landscape”.
Following the arrests of 14 suspects on Friday, Moscow’s Tverskoi Court has named the eight individuals to be charged as Roman Muromsky, Andrey Bessonov, Golovachuk M.A., Zayets A.N., Khansvyarov R.A., Korotayev D.V., Puzyrevsky D.D., and Malozemov A.V.
The arrests took place a day after the Ukrainian government’s websites were taken down by a cyber attack on Friday, which was unofficially attributed to Russian-aligned threat actors.
“It’s likely that the arrests against REvil members were politically motivated, with Russia looking to use the event as leverage; it could be debated that this may relate to sanctions against Russia recently proposed in the US, or the developing situation on Ukraine's border,” said Morgan. Russia has reportedly deployed around 10,000 troops to the border.
Cybereason chief security officer Sam Curry said that the arrests are “unlikely” to signal a change in Russia’s policy, which in the past has been accused of sponsoring cyber criminals.
“Far more likely is providing a counterpoint to other news on the world stage, to confuse or perhaps even to provide legitimacy to a crackdown on criminals who are “state ignored” (i.e. sanctioned) to keep them in line and playing by the rules domestically,” he told IT Pro.
Curry added that the arrests could lead to less ransomware attacks – for now at least.
RELATED RESOURCE
Modernise endpoint protection and leave your legacy challenges behind
The risk of keeping your legacy endpoint security tools
“The bottom line for those outside Russia is that a major player is taking a hit, which will mean a reduction in victims for the time being. As with most criminal syndicates, though, there’s always another player around to fill the void. And until Russia actually changes domestic policy with regard to International cyber crime, the rest of the world shouldn’t read too much into it,” he said.
However, Morgan believes that the arrests will have a “small impact on the current ransomware landscape”, noting that REvil hadn’t conducted any attacks since October 2021.
“The FSB stated that the arrests were made following 'an appeal' from the US authorities, while the hacking group had in the past targeted American companies including Apple and JBS.
“While the specific dialogue between the United States and Russia on this operation are unclear, this statement possibly represents a backhanded message highlighting that Russian authorities can be used to stop ransomware activity, but only under certain circumstances.”
-
Global cybersecurity spending is set to rise 12% in 2025 – here are the industries ramping up investmentNews Global cybersecurity spending is expected to surge this year, fueled by escalating state-sponsored threats and the rise of generative AI, according to new analysis from IDC.
-
Google Cloud is leaning on all its strengths to support enterprise AIAnalysis Google Cloud made a big statement at its annual conference last week, staking its claim as the go-to provider for enterprise AI adoption.
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackersNews Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Healthcare systems are rife with exploits — and ransomware gangs have noticedNews Nearly nine-in-ten healthcare organizations have medical devices that are vulnerable to exploits, and ransomware groups are taking notice.
-
Alleged LockBit developer extradited to the USNews A Russian-Israeli man has been extradited to the US amid accusations of being a key LockBit ransomware developer.
-
February was the worst month on record for ransomware attacks – and one threat group had a field dayNews February 2025 was the worst month on record for the number of ransomware attacks, according to new research from Bitdefender.
-
CISA issues warning over Medusa ransomware after 300 victims from critical sectors impactedNews The Medusa ransomware as a Service operation compromised twice as many organizations at the start of 2025 compared to 2024
-
Warning issued over prolific 'Ghost' ransomware groupNews The Ghost ransomware group is known to act fast and exploit vulnerabilities in public-facing appliances
-
The Zservers takedown is another big win for law enforcementNews LockBit has been dealt another blow by law enforcement after Dutch police took 127 of its servers offline
-
There’s a new ransomware player on the scene: the ‘BlackLock’ group has become one of the most prolific operators in the cyber crime industry – and researchers warn it’s only going to get worse for potential victimsNews Security experts have warned the BlackLock group could become the most active ransomware operator in 2025
