Russian Raids Dismantle Cyber-Group REvil


By Staff Writer.

Russian authorities claim to have dismantled ransomware hacking group REvil after a series of raids and arrests late last week across multiple Russian regions. The FSB, Russia’s internal security service, said the arrests followed a US Government request.

In a statement, the FSB said it raided 25 addresses and arrested 14 people in the Moscow, St. Petersburg, Moscow, Leningrad, and Lipetsk regions. In addition to luxury cars, cryptocurrency wallets, and computer equipment, the FSB said they seized cash, including US$600,000.

Charges laid include breaching Part 2 of Article 187 of Russia’s Criminal Code, “Illegal circulation of means of payment,” which carries up to seven years imprisonment.

The FSB says the group developed malicious software, organised the theft of funds from foreign citizens’ bank accounts, and cashed out those funds, including by purchasing goods online.

As a result of the arrests, the FSB claims the REvil has “ceased to exist,” and they have dismantled the infrastructure supporting the loosely organised ransomware group.

The FSB also says the raids and arrests followed a request by US authorities. This followed a spike in high profile cyberattacks earlier in 2021 attributed to REvil.

The group developed the ransomware software DarkSide used in the May 2021 cyber-attack on Colonial Pipelines that caused gas shortages across the US. Colonial Pipelines reportedly paid a ransom of US$5 million.

In June, a cyber-attack on meat supplier JBS was attributed to REvil. The attack shut down nine meatworks around the world, with JBS ultimately paying a ransom of US$11 million. In July, another massive cyber-attack compromised thousands of computer networks worldwide and was traced back to REvil.

In the same month, US President Jo Biden told Russian President Vladimir Putin his country would face consequences if it did not move to dismantle criminal cyber-groups such as REvil.

Towards the end of 2021, the US offered a US$10 million reward for information about REvil members. Multiple countries, including the US, also stepped-up counter-hacking efforts against criminal cyber-groups.

The US Government welcomed news of last week’s arrests, saying they looked forward to future arrests and action by Russian authorities to take down criminal cyber-groups operating within their jurisdiction.

“We’re committed to seeing those conducting ransomware attacks against Americans brought to justice, including those that conducted these attacks on JBS, Colonial Pipeline, and Kaseya,” said a White House spokesperson.

Speaking on the condition of anonymity, the spokesperson said the arrests were a result of ongoing talks and information sharing between Presidents Biden and Putin.

“We’ve shared information regarding individuals operating from within Russia who have conducted disruptive attacks against US critical infrastructure.

“These are very important steps, as they represent the Kremlin taking action against criminals operating from within its borders. And they represent what we’re looking for with regard to continued activities like these in the future.”

Russian courts remanded the alleged REvil members into custody over the weekend. However, there is no extradition treaty between Russia and the US and no expectation those detained will face court in the US.

“Each country pursues its law enforcement operations under its own legal system. And Russia’s announcement today was clearly something that will be pursued via its own law enforcement steps,” added the White House spokesperson.