Russia Arrests REvil Ransomware Gang Members, Seizes $6.6 Million

The Federal Security Service (FSB) of the Russian Federation said it shut down the REvil ransomware gang after US authorities reported the leader.

More than a dozen members of the gang have been arrested following police raids at 25 addresses, Russia’s security agency said in a press release today.

Russian authorities have arrested 14 people suspected of being part of Operation REvil ransomware-as-a-service (RaaS) and confiscated cryptocurrency and fiat currency as follows:

• over 426 million rubles (about $5.5 million)
• 600 thousand US dollars
• 500 thousand euros (about $570,000)

Russian authorities also confiscated 20 luxury cars purchased with money from cyberattacks, computer hardware and cryptocurrency wallets used to develop and maintain the RaaS operation.

Footage from the raids available below shows how officers detained the suspects and confiscated cash and electronics:

The raids took place at addresses in the Moscow, St. Petersburg, Leningrad and Lipetsk regions.

the FSB says that he was able identify all members of the REvil gang, documented their illegal activities and established their participation in the “illegal circulation of means of payment”.

Besides creating the file-encrypting malware and deploying it on corporate networks around the world, REvil members have also been implicated in stealing money from the bank accounts of foreign citizens.

The FSB says it has informed the representatives of the competent American authorities of the results of the operation.

REvil ransomware goes down

REvil ransomware (aka Sodin and Sodinokibi) emerged in April 2019 from the vacuum left by the shutdown of Operation GandCrab.

In less than a year, the gang has become the most prolific ransomware group, demanding some of the highest ransoms from its victims. He became infamous in August 2019 when he hit several local governments in Texas and demanded a collective ransom of $2.5 million – the highest to that date.

Soon, asking huge sums of money from large organizations and getting paid became the norm. Within a year, the gang claimed profits in excess of $100 million.

REvil’s most high-profile hit was the Kaseya supply chain attack that crippled around 1,500 businesses worldwide. The ransom demand to decrypt all organizations was $70 million in Bitcoin.

This attack provoked a harsh response from the United States, with President Biden asking President Putin to take action against cybercriminals residing in Russia; otherwise, the United States would act alone.

The gang was also the first to have a representative under the name UNKN forum at first, then moved to Unknown, which promoted the REvil RaaS company in the Russian-speaking criminal hacker community.

This public representative disappeared shortly after Kaseya’s attack (some assumed that Inconnu had been arrested) and the pressure from international law enforcement increased.

After the Kaseya attack, Operation REvil went on hiatus and then resumed operations two months later. What the operators didn’t know was that law enforcement had hacked into their servers before the break and when they restored the systems from backups, the criminals also restored the machines controlled by law enforcement. order.

The FSB’s action against REvil comes after US and international law enforcement organizations joined forces to identify and arrest members of the ransomware operations.

As a result, the United States announced in November 2021 that it had arrested a REvil affiliate (Ukrainian national Yaroslav Vasinskyi) responsible for the attack on Kaseya and seized over $6 million from another Revil partner (national Russian Yevgeniy Polyanin), which allegedly deployed around 3,000 ransomware attacks.

In the same month, Romanian authorities arrested two REvil ransomware affiliates responsible for 5,000 attacks that earned them 500,000 euros in collected ransoms.

Update [January 14, 2022, 13:26 EST]: Added general information about the REvil ransomware gang and the arrests of its affiliates