According to Russia’s top agency FSB (Federal Security Service), the arrests against the Revil ransomware gang were made at the request of the government of the United States.
Russia’s Federal Security Service (FSB) has arrested and charged 14 suspects for their connection with the infamous Revil ransomware gang (aka Sodinokibi). The arrests were made at the request of the United States, the agency said on Friday, January 14th.
This marks the apparent end of the REvil ransomware gang involved in some of the largest ever ransomware attacks against the critical infrastructure in the United States including the attack on Kaseya Limited, a leading provider of IT and security management solutions.
The news came just a day after Ukrainian authorities arrested 5 suspects for carrying out ransomware attacks against international businesses costing millions of dollars in damages.
Raids, property seizure, and arrests
According to local Russian media, FSB, the principal security agency of the country raided 25 different locations in several Russian cities including the Capital Moscow, St. Petersburg, Lipetsk, and Leningrad.
Furthermore, authorities seized assets worth more than 426 million rubles (£4 million – $5.5 million – €4.8 million euros) in cash and cryptocurrency. More over, 20 luxury vehicles purchased with money obtained from ransom payments were also confiscated.
The FSB has confirmed that all 14 suspects have been charged with committing crimes under Part 2 of Art. 187 “Illegal circulation of means of payment” of the Criminal Code of Russia.
REvil ransomware gang has been “neutralized”
In a press release, FSB added that the REvil ransomware gang has been completely dismantled and that the infrastructure used by the threat actors has been “neutralized.”
“As a result of the joint actions of the FSB and the Ministry of Internal Affairs of Russia, the organized criminal community has ceased to exist, the information infrastructure used for criminal purposes has been neutralized. Representatives of the US competent authorities have been informed about the results of the operation.”
Like any other ransomware gang, the modus operandi of REvil involved exploiting security vulnerabilities and compromising targets. The group would encrypt files on targeted computers and demand ransom payments. In case their demands were not met the attackers would leak the data online.
Ziv Mador, VP of Security Research at Trustwave SpiderLabs stated that the actions from Russia’s top-secret agency which is directly overseen by President Vladimir Putin are “unprecedented.”
However, he also warned that REvil resources could reemerge in another form as seen with other ransomware groups many times in the past such as the appearance of Haron and BlackMatter ransomware groups right after the disappearance of DarkMatter and REvil in July 2021.
“This unprecedented action from the Russian Federal Security Service (FSB) aligns with the fear that we’ve observed while conducting cybercriminal chatter reconnaissance on the Dark Web. Cybercriminals on the Dark Web indicated back in November 2021 that they believed there were secret negotiations on cybercrime between the Russian Federation and the United States and urged each other to prepare for potentially serious actions from Russia, Ziv said.