Russia arrests REvil ransomware band members upon request from the US

According to Russia’s Federal Security Service, 14 people were detained and millions of dollars were seized.

Detained hackers have been able to seize money. The FSB detained a group hackers that sent ransomware virus to the United States. According to the FSB, more than 426 million rubles (in cryptocurrency, $600,000.000, 500,000 euros) and computers were seized from 25 apartments belonging to 14 members of REvil’s hacking group. 

Image by FSBTASS/Getty Images

Russian authorities have arrested more than 12 members of the REvil ransomware gang. Friday saw the arrest of more than a dozen members of the REvil ransomware group. Federal Security Service of the Russian Federation Announcement of a joint effortIt and the Ministry of Internal Affairs of RussiaThis led to 14 arrests of people connected with the notorious cybercrime group.

SEE: Ransomware: What IT pros need to know (free PDF) (TechRepublic)

Some 25 residential addresses were searched with not only the 14 people arrested but several assets seized, including more than 426 million rubles, €500,000, $600,000 in U.S. dollars, crypto wallets, computer equipment and 20 luxury cars bought with money obtained from the group’s crimes.

They were accused of committing crimes against Article 2 of Article 187, “Illegal Circulation of Means of Payment” of the Criminal Code of Russia.

According to the FSB this operation was performed at the request by U.S. authorities. “The investigative measures were based on a request from the … United States,” the FSB said, According to Reuters. “The organized crime association has been destroyed and the criminal information infrastructure was eliminated.”

Ransomware attacks have become more frequent and more dangerous over the last few years. REvil has been a major perpetrator. After its attack on Kaseya Enterprise IT, a group that affected over 1,000 companies in the supply chain of the company’s supply chain, REvil gained a lot of attention last year. REvil was also hailed for another attack on JBS Foods meat processing firm.

A multi-nation operation involving law enforcement officers and cyber specialists attacked REvil’s network infrastructure to take control of some of its infrastructure. This led to the group being taken down. The group members were reportedly still at large, but they have been flying below radar since then.

Biden’s administration has been pressing Russia to pay ransomware and its perpetrators serious, particularly considering allegations that groups such as REvil operated with the tacit consent of the former Soviet Union. The operation on Friday also occurred amid tension between the U.S. government and the Kremlin due to fears that Russia is planning an invasion of Ukraine.

Chris Morgan, senior cyber threat analyst at Digital Shadows, stated that the FSB comment that the operation was conducted at the request by the U.S. government may be interpreted as a backhanded message indicating Russia can be used to end ransomware activity but only in certain circumstances.

SEE: Ransomware attack: Why a small business paid the $150,000 ransom (TechRepublic)

Morgan stated that it was likely that Russia used the arrests of REvil members to leverage the situation. Morgan said that it was possible to speculate that this could have been related to the U.S. sanctions on Russia or the current situation at the Ukraine border. Important is the fact that REvil was targeted by the FSB, who have not been active in carrying out attacks since October 20,21. This sentiment was also identified by chatter on Russian cybercriminal forums, which suggested that REvil were pawns in big political games. Another user suggested that Russia made the arrests “on purpose” so that the United States would “calm down.”

Morgan suggested that although the FSB could have raided REvil, Morgan stated that it was not aware that REvil was a high priority target for the U.S. and that arrests would have minimal impact on the ransomware landscape. Morgan suggested that the operation might have been intended to alert other ransomware groups to pay attention to who they are targeting, in order to avoid drawing undue attention to them.

Now, the question is whether these arrests indicate that REvil is really down for the count.

“Regarding REvil,” Neal Dennis (Cyware threat intelligence specialist) said that the crime organization has experienced a few iterations, and likely their fair share internal attrition. “They’ve survived many digital attacks and takedowns but have always bounced back. Why? Because digital actions can’t be taken without key members being arrested. However, REvil was not the first Russian cyber gang to be taken out by Russian authorities. Russia usually intervenes when a group is as prolific and large as this one.

Also see