Europol also announced on Monday that Romanian law enforcement recently arrested two suspected REvil affiliates who allegedly perpetrated 5,000 ransomware attacks and extorted close to $600,000 from victims. Justice Department officials referenced this and other recent global law enforcement operations in their remarks on Monday.
“One thing that stood out to me was calling out smaller countries like Romania and Estonia for their cooperation,” Recorded Future’s Liska says. “I think this is a good strategy to further isolate Russia.”
Officials also praised Kaseya on Monday for cooperating with law enforcement in the wake of the company’s attack. This may indicate an effort to strike a difficult but potentially vital balance. The US government has long discouraged victims from paying ransoms, but the hardline approach is one factor that has made victims wary of coming forward and potentially limiting their options. While not encouraging payment, officials have seemingly refocused on encouraging victims to come forward and collaborate so law enforcement can take quick action against perpetrators.
“I’m cautiously optimistic because of the broad nature of this announcement,” says Katie Nickels, director of intelligence at the security firm Red Canary. “REvil was honestly already on the downswing after the Kaseya incident, but there are still other groups that are really bad right now. Adversaries are going to be looking to see is this a limited action or can law enforcement continue imposing costs?”
REvil and its affiliates were on a tear earlier this year, targeting the global meat purveyor JBS and others before the Kaseya attack. That high-profile incident, coupled with intense scrutiny of the Russian ransomware gang DarkSide, largely forced REvil underground over the summer. The group seemingly began to reemerge this fall but was recently knocked offline by an international law enforcement operation that compromised and took down the gang’s digital infrastructure.
If officials can keep it up, Nickels and other researchers say ransomware dynamics really could shift for the better. On Monday, the Justice Department seemed keen to establish such a track record as well.
“Today, and now for the second time in five months, we announce the seizure of digital proceeds of ransomware deployed by a transnational criminal group,” Attorney General Garland said. “This will not be the last time.”
For now, though, the steady drumbeat of ransomware attacks continues, thanks to an array of prolific attackers who haven’t yet been caught in law enforcement’s crosshairs. It’s not a foregone conclusion that officials will be able to continue applying pressure and racking up wins. But for the first time, agencies within the US government and beyond seem clear about a strategy, and focused on executing it.
This content was originally published here.