cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Russian officials arrest REvil ransomware gang members at US request

More than a dozen members of the REvil ransomware group have been arrested courtesy of the Russian government.

user iconReporter
Mon, 17 Jan 2022
Russian officials arrest REvil ransomware gang members at US request
expand image

Russia's Federal Security Service (FSB) announced on Friday that 14 people were arrested and millions in currency has been seized.

The operation that led to the arrest of 14 people associated with the infamous cyber crime group, REvil, was a joint effort by the Federal Security Service of the Russian Federation and the Ministry of Internal Affairs of Russia.

The operation was conducted at the request of US authorities, according to the FSB, which added that the US was informed of the outcome.


According to Reuters, the FSB revealed that the investigative measures were based on a request from the United States.

"The organised criminal association has ceased to exist, and the information infrastructure used for criminal purposes was neutralised," the FSB confirmed.

As ransomware attacks have grown more common and more destructive over the past couple of years, REvil became infamous as one of the major culprits.

The group brought undue attention to itself last year following its attack against enterprise IT firm Kaseya, an incident that affected more than 1,000 organisations across the firm's supply chain. Another attack against meat processing company JBS Foods further brought REvil into the spotlight.

The group was reportedly taken down last October by a multi-nation operation in which law enforcement officials and cyber specialists hacked into REvil's computer network infrastructure, taking control of some of its infrastructure. Since then, group members have been flying under the radar but were still at large.

The Biden administration has been pressuring Russia to take ransomware and its perpetrators seriously, especially amid allegations that groups like REvil have operated with at least the tacit permission of the former Soviet Union.

Friday's operation also came in the midst of tension between the US and the Kremlin over fears that Russia has been planning a new invasion of Ukraine.

In reference to the FSB's comment that the operation was carried out at the request of the US government, Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows outlined that that this may represent a backhanded message indicating that Russia can be used to stop ransomware activity, but only under certain circumstances.

"It's likely that the arrests against REvil members were politically motivated, with Russia looking to use the event as leverage," Morgan said.

"It could be debated that this may relate to sanctions against Russia recently proposed in the US, or the developing situation on Ukraine's border."

The fact that the FSB targeted REvil, who have not been publicly active in conducting attacks since October 2021, is also significant.

Chatter on Russian cyber criminal forums identified this sentiment, suggesting that REvil were "pawns in a big political game", while another user suggested that Russia made the arrests "on purpose" so that the United States would "calm down".

The FSB might have also raided REvil knowing that the group was a high-priority target for the US but that the arrests would have little impact on the current ransomware landscape, Morgan added.

The operation may have even been staged as a warning to other ransomware gangs to be mindful of whom they target lest they invite undue attention to themselves.

According to Neal Dennis, threat intel specialist at Cyware, the REvil crime group has seen a few iterations and probably their fair share of internal attrition since inception.

"They've weathered digital attacks and take-downs but always seemed to bounce back. Why? Because digital actions are nothing without arrests of key members of the gang.

"That being said, REvil is not the first Russian cyber crew to be wiped out by Russian authorities and won't be the last.

"In the past, when a group gets as large and prolific as this on the global stage, Russia eventually steps in," Dennis concluded.

[Related: Scammers profiting from reposting stolen TikTok videos on YouTube Shorts]

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.