“All information about you has become public, be afraid and expect the worst. This is for your past, present and future,” it said and came just hours after high-level talks between Moscow and the West failed as thousands of Russian troops amassed on Ukraine’s border.

Despite evidence Russians were behind the hack, Moscow denied any knowledge then curiously ordered its domestic security agency FSB to raid 25 properties in Moscow, arresting 14 people, including prominent web developers who faced years in jail.

The notorious REvil hacking group responsible for numerous costly cyber attacks on Ukraine and the West, the FSB declared, had been dismantled and its “information infrastructure used for criminal purposes neutralised”.

But the whole affair was something of a charade and a warning to the West.

One month later Russia invaded Ukraine, the hackers were all released and REvil re-formed with some members purportedly creating informal links with the FSB and tasked to focus cyber attacks on Ukraine and its allied nations, including Australia.

Intelligence points to some members also now employed to bolster the cyber defences of the Russian occupied territories of Ukraine.

“Ransomware operators attacking Western entities have long since been tolerated by the Russian authorities but there was no overt encouraging and there appeared to be a line between State structures and financially motivated ransomware operators,” risk intelligence firm Flashpoint analyst Andras Toth-Czifra said.

“But this line seems to be fading and the war is definitely a factor and likely also the fact that Ukraine has been co-operating more with Western law enforcement.”

This month, according to cybersecurity company Bitdefender, Australia has become “the most targeted country for ransomware attacks in the world for the first time” with the REvil — also known as Sodinokibi — just one of up to 189 criminal consortium “families” targeting the country.

The REvil family is suspected to be behind the Medibank hack, despite denials from the Russian Embassy in Canberra that there was no proof their countrymen were behind it; that message was from the same diplomats who in February dismissed as Western hysteria that Russia would ever invade Ukraine, days before they did.

But it is not clear cut with a second ransomware group, Corp Leaks, now being identified as also linked to the Medibank attack, highlighting the overlap of groups in the ransomware world.

REvil, a meld of the words ransom and evil, first emerged in 2019, is based in Russia and uses affiliates in Eastern Europe. Its link to Medibank was first traced through the dark web and the extortion site that had been hosting the stolen patient data.

It advertises ransomware as a service, working on contract to hack any company, government and infrastructure or individual as commissioned. It is as much motivated by geopolitical assaults, such as Ukraine and supporter nations, as it is to make money.

In 2021 REvil reportedly hacked global meat producer JBS Foods, behind some of Australia’s best known smallgoods brands. The company “made the difficult decision” and paid a more than US$11 million ($A16.41 million) ransom to REvil.

The Australian Federal Police Cyber Security Team and the Australian Signals Directorate Australian Cyber Security Centre (ASCS) had been tracking REvil activities for sometime, working with counterparts from the United States after the group in March attempted to hack national critical infrastructure by launching waves of “reconnaissance” hacks to find weaknesses.

Risk intelligence firm Flashpoint senior director Ian Gray said despite heightened global scrutiny by law enforcement, REvil continues.

“The reality is that it is difficult to disrupt or stop ransomware gangs that may target Australia without extradition treaties in place with countries that may turn a blind eye to cybercriminals, such as Russia,” he said.

Mr Gray suggested alternative defences could include working more with cryptocurrency exchanges since REvil and other ransom groups usually demand, and receive payments, in crypto.

A REvil affiliate earlier this year broke ranks to give an interview about their work.

It said there was an anti-establishment socialist or anarchist cool about what they do but ultimately it was about money and as big companies and governments got better defences they just exploited the smaller firms in their supply chain as a backdoor entry. They have patience and time and money to spend months on just a single hack.

“I am against romanticising my work,” the REvil contractor told the Russian dark web.

“Money is being stolen or extorted with my hands but I’m not ashamed of what I do. I sincerely try to find at least something bad in this and cannot. Probably, my concepts of what is good and what is bad are somehow shifted … I’ve already earned for the rest of my life. Not millions, but enough to live in peace and never work. Here is also a second factor: how to quit a job that brings such earnings in a country where you are not much sought after?”

More Coverage

‘Australia is punching back’ against Russian cyber attacks

Charles Miranda

Aussies test-fire missile launcher from Holden ute

Charles Miranda

Originally published as Russian hackers target Ukraine allies including Australia