Many an infosec watcher did a double-take when they read that Russia's Federal Security Service FSB posted a media release over the weekend that announced raids in Moscow and St Petersburg against the REvil ransomware gang.
REvil or Sodinokibi is an infamous ransomware-as-a-service group that rents out malware to affiliate extortionists. Among its better-known victims are Lion Breweries, gas supplier Colonial Pipeline in the United States and desktop management software provider Kaseya, which saw many of its customers attacked by REvil.
This included Swedish grocery chain the Co-op, which had to close 800 stores.
The ransomware criminals were very brazen about their damaging attacks that were costly and slow to recover from, and even ran a Happy Blog site to boast about them.
Security researchers humiliated by the criminals bypassing their defences made REvil their top priority. Last year, US president Joe Biden formally asked the Russian leader Vladimir Putin to do something about the ransomware raiders running rampant in American computer networks.
Western authorities justifiably suspected that while the ransomware bandits might not have been directly state-sponsored, Russian and Eastern European law enforcement agencies turned a blind eye to the criminals' activities.
Seeing young men with no visible means of legitimate income drive around in exotic sports cars and party in expensive nightclubs doesn't seem to have aroused the suspicion of the local constabularies at all.
REvil also stiffed their affiliates for ransom payments; if you want a case study on how to make bitter enemies high and low, look no further: the criminals now had multiple virtual bull's eyes painted on their backs.
By October and November last year, security researchers and police forces in multiple countries had mapped out REvil in a global cooperative effort, and hacked their command and control infrastructure.
Five people were arrested last year. This month, the FSB said it had conducted raids at 25 addresses in Russia's two biggest cities with 14 people being arrested.
Millions of dollars worth of extortion money, some of it in cryptocurrencies, were seized and yes, a bundle of "premium vehicles" again, with 20 fancy sets of wheels being impounded.
Here's the thing though: the Russians acted on information from US authorities. Right now, the US and its NATO partners are preparing to aid Ukraine against a Russian invasion that has gone from threats to the imminent stage.
Why then would Russia and the US cooperate like this? Several reasons spring to mind. The FSB having developed independence from the Kremlin seems unlikely, but a tidy-up operation to clean up REvil's gear to ensure that nothing inconvenient is revealed to Western authorities is not entirely unbelievable.
REvil crumbling under Western pressure is one thing, but there's China as well. The insightful Srsly Risky Biz newsletter last week published commentary from a US Department of Defence analyst which indicates that ransomware is a huge problem in China.
Security vendor Qihoo360 alone tallied up 3700 systems being attacked in 2020, and a further 860,000 successful ransomware attacks were recorded by researchers.
That's pretty massive, and REvil associated criminals were attributed for the attacks by Chinese authorities.
Although ransomware attackers usually try to avoid going for systems in the former Soviet republics, China was clearly never on that "stay clear" list.
Would it irritate China that Russian criminals disrupt and extort critical infrastructure providers and businesses in the Middle Xi-dom? Why yes, it would, and it's remarkable that it's been allowed to continue as far as it has.
The DoD cyber crime analyst goes on to suggest that since cryptocurrency underpins the entire ransomware business, China might act to curtail transactions done with virtual money. China has already shown its willingness to put the brakes on crypto transactions, and the authorities there might go after exchanges where criminals can obtain the real money needed to buy their Bugattis and Lamborghinis to hoon around in.
Whatever happens, ransomware criminals would be pretty stupid not to realise they're just pawns in a larger game. Pawns who are the first to be sent to Gulag that is. Maybe there's some justice in the virtual world after all.