Russian law enforcement authorities said on Friday that they have arrested 14 people associated with REvil, a top ransomware group that has disrupted critical operations of wealthy targets and held their data hostage.
The action, carried out by Russia’s FSB, the successor agency to the KGB, is a rare example of the country’s government cracking down on cybercrime by its citizens. The US and Russia have no extradition treaty in place, and critics have said the Kremlin routinely harbors cybercriminals as long as they don’t target organizations located in the former Soviet Union. The arrests come as tensions between Russia and the US escalate over a standoff involving Ukraine.
Big-game hunter neutralized
“The FSB of Russia established the full composition of the criminal community ‘REvil’ and the involvement of its members in the illegal circulation of means of payment and documented illegal activities,” Russian officials wrote. “In order to implement the criminal plan, these persons developed malicious software and organized the theft of funds from the bank accounts of foreign citizens and their cashing, including by purchasing expensive goods on the Internet.”
Friday’s release added: “As a result of joint actions of the FSB and the Ministry of Internal Affairs of Russia, the organized criminal community ceased to exist. The information infrastructure used for criminal purposes was neutralized.”
REvil first appeared in 2019 and quickly developed a reputation for its technical prowess and hard-nosed tactics, which included highly customizable ransomware and public shaming of its victims. The gang has practiced what’s known in ransomware circles as big-game hunting, meaning it targeted organizations with pockets deep enough to pay fees in the tens of millions of dollars. In April of last year, researchers ranked REvil as the No. 3 ransomware group, responsible for about 4 percent of attacks on the public and private sectors.
REvil victims included the massive international meat and poultry producer JBS SA, which in June was hit with an attack that shut down some operations. Other REvil victims include a law firm that represented Lady Gaga and other celebrities. Software firm Kaseya was also breached, leading to the infection of about 1,500 organizations that sought services from Kaseya or one of its customers. In October, REvil shut down its Happy Blog shaming site after members said their infrastructure was hacked.
A joint operation between the FSB and local police searched 25 addresses and detained 14 people; it also seized 426 million rubles, $600,000, 500,000 euros, computer equipment, and 20 luxury cars, Friday’s release said. Russian officials said they directly informed their US counterparts of the action. The authorities carried out the operation following a request from the US, the FSB said.
Last year, President Biden repeatedly pressed his Russian counterpart Vladimir Putin to arrest cybercrime syndicates in Russia and warned that attacks on pipelines and similar critical infrastructure wouldn’t be tolerated.