In an unprecedented move, Russia’s Federal Security Service (FSB), the country’s principal security agency, on Friday disclosed that it arrested several members belonging to the notorious REvil ransomware gang and neutralized its operations.
The surprise takedown, which it said was carried out at the request of the U.S. authorities, saw the law enforcement agency conduct raids at 25 addresses in the cities of Moscow, St. Petersburg, Moscow, Leningrad and Lipetsk regions that belonged to 14 suspected members of the organized cybercrime syndicate.
“In order to implement the criminal plan, these persons developed malicious software, organized the theft of funds from the bank accounts of foreign citizens and their cashing, including through the purchase of expensive goods on the Internet,” the FSB said in a statement.
In addition, the FSB seized over 426 million rubles, including in cryptocurrency, $600,000, EUR500,000, as well as computer equipment, crypto wallets used to commit crimes, and 20 luxury cars that were purchased with money obtained by illicit means.
REvil was one of the most prominent ransomware groups last year. He took responsibility for attacks on Kaseya and JBS, as well as a number of other individuals. The U.S. government told Reuters that one of the arrested individuals was also behind the ransomware attack on Colonial Pipeline in May 2021, once again confirming REvil’s connections to a second collective called DarkSide.
The group formally closed shop in October 2021 after the U.S. intervened to take its network of dark web servers offline. The next month, law enforcement authorities announced the arrest of seven individuals for their roles as affiliates of the REvil ransomware family, even as the U.S. charged a 22-year-old Ukrainian citizen linked to the ransomware gang for orchestrating the Kaseya ransomware attack.
All those detained have been charged with “illegal circulation of means of payment,” a criminal offense punishable by up to six years in prison. Although the suspects were not named by Reuters, Reuters reported that two men from Moscow had been identified as Roman Muromsky (and Andrei Bessonov) in a criminal case.
The crackdown also comes as threat actors likely affiliated with Russian secret services crippled much of the Ukrainian government’s public-facing digital infrastructure, in addition to defacing some of them with messages that alleged people’s personal data had been made public and that the information stored in the servers was being destroyed.
It is unclear what the arrests will mean for the ransomware industry, which continues to thrive despite numerous law enforcement actions. This was partly due to Russia’s unwillingness to take action when it comes down to cybercriminals being held in Russia, effectively giving the criminals impunity.
“While we are still looking to understand the true impact of these arrests, we applaud the Russian government for the actions it took today with regard to the REvil criminal ransomware group,” Matt Olney, director of threat intelligence and interdiction at Cisco Talos, told The Hacker News. “It’s important that criminal cyber actors and organizations not be allowed to operate with impunity. And so any result that leads to degrading of their capabilities is undoubtedly a good thing. “