Full Report
Four REvil ransomware members arrested in January 2022 were released by Russia on time served after they pleaded guilty to carding and malware distribution charges. [...]
Analysis Summary
# Threat Actor: REvil Ransomware Gang
## Attribution & Identity
The threat actor discussed is the **REvil** ransomware group, also widely known as **Sodinokibi**. The summary focuses on members of this group who were recently released from custody after serving time for unrelated **carding charges**. The FSB claimed to have identified all members and neutralized the criminal infrastructure associated with the RaaS operation in January 2022.
## Activity Summary
REvil operated a Ransomware-as-a-Service (RaaS) operation. Key historical activities mentioned include:
* Participation in numerous ransomware attacks, including the devastating **Kaseya attack**.
* The gang **paused operations** following intense law enforcement pressure after the Kaseya incident.
* They **resumed operations** two months later but inadvertently restored systems controlled by law enforcement, leading to further arrests.
* The group's infrastructure was reportedly neutralized following arrests by the Russian FSB in January 2022.
## Tactics, Techniques & Procedures
* **Ransomware-as-a-Service (RaaS):** Operated using a service model.
* **Infrastructure Seizure/Neutralization:** While not a TTP *used* against victims, the article notes law enforcement actions against their infrastructure.
* *No specific offensive TTPs (like exploitation methods or malware techniques) are detailed in the provided text snippet, beyond the core activity of deploying ransomware.*
## Targeting
* **Sectors:** Not explicitly detailed in this snippet, but the reference to the Kaseya attack suggests targeting of **Managed Service Providers (MSPs)** which subsequently cascades to their downstream clients.
* **Geography:** Implied global reach, with arrests occurring in Russia.
* **Victims:** Not named specifically, but the **Kaseya attack** is highlighted as a major operation.
## Tools & Infrastructure
* **Malware families used:** **REvil** (Sodinokibi) Ransomware.
* **Infrastructure (C2, domains, IPs):** The FSB claimed to have neutralized the group's information infrastructure. No specific C2s or IPs/URLs are provided and defanged in this summary snippet.
## Implications
The release of members previously detained for carding charges raises potential implications for the cybercrime ecosystem, though the FSB previously claimed the overall RaaS operation was dismantled. The mention of the US halting cybersecurity communication with Russia post-Ukraine invasion suggests potential geopolitical complications affecting future cooperation against these actors. The return of high-profile ransomware operators back into the general threat landscape is always a concern.
## Mitigations
* The article does not provide specific mitigation advice regarding the REvil malware itself, focusing instead on the legal status of its members.
* The surrounding content briefly suggests generalized IT hygiene, such as recommendations found in an advertisement regarding **patch management automation**.