Russian authorities arrest 14 alleged members of REvil ransomware gang at US request

Russian authorities arrest 14 alleged members of REvil ransomware gang at US request

Image:
Russian authorities arrest 14 alleged members of REvil ransomware gang at US request

The US officials provided detailed information about the leader of the gang, they say

The Federal Security Service (FSB) of the Russian Federation said on Friday that it had taken down ransomware crime group REvil at the request of the United States in an operation in which 14 alleged member of the gang were arrested.

The individuals detailed by the FSB included a hacker that US officials say executed May's Colonial Pipeline attack.

The Russian agency said that the operation was conducted in cooperation with the Ministry of Internal Affairs of Russia, and saw 25 addresses in Moscow, St. Petersburg, Lipetsk and Leningrad regions raided by the law enforcement officials.

It resulted in seizure of more than 426 million roubles, including in cryptocurrency, 600 thousand US dollars (about £438,800) and 500 thousand euros (about £417,000).

The FSB also seized computer equipment and 20 luxury cars, which had been bought using the criminal earnings.

The agency said that the basis for these raids was an appeal by the US authorities, who provided detailed information about the leader of the gang and his role in encroaching on the information resources of foreign tech firms.

The individuals created malicious software in order to achieve their criminal intent and organised the theft of funds from the bank accounts of a large number of foreign citizens.

As a result of the joint action, the organised cybercrime group has ceased to exist, and the IT infrastructure used for criminal objectives neutralised, according to the FSB.

Accused Russian members of the gang are not likely to be extradited to the United States.

The US administration welcomed the arrests, and a senior official said that the one of the individuals arrested by the FSB was responsible for the attack against Colonial Pipeline last spring.

The Biden administration has long called on the Kremlin to take more steps to crack down on ransomware gangs operating within the country.

In June, US President Biden met Russia's President Putin to discuss the cyber attacks against the West, which all seemed to originate from Russia. Biden told Putin that he expected Russia to act against any such groups operating within its borders.

REvil, also known as Sodinokibi or Sodin, has been one of the most notorious ransomware groups of 2020/21.

In June, meat processing giant JBS said it paid $11 million to REvil, which locked its systems at the end of May.

In July, REvil used a zero-day bug in Kaseya's VSA remote management tool to encrypt about 60 managed service providers and over 1,500 of their small- and medium-sized business customers in a massive supply chain strike.

A few days after attacking Kaseya, REvil disappeared from the internet - abandoning forums, disconnecting its servers, and shutting down its dark web presence. Expects suspected that the Russian government had forced the group to cease operations, to show the world that it was working with the US government.

But in September, many of the dark-web servers belonging to the REvil resurfaced, sparking fears that the group was preparing for new attacks.

About a month later, it emerged that REvil gang was itself hacked and taken offline in a coordinated operation that involved law enforcement agencies from multiple countries.

Reuters reported that cyber experts working with the US intelligence agencies were able to breach REvil's computer network infrastructure and to seize control of at least some of their servers.

Last month, a US court filing showed that the FBI had seized 39.9 Bitcoins - worth approximately $2.3 million (about £1.7 million) - from an alleged affiliate of the REvil ransomware gang back in August. The federal agency said the seized cryptocurrency was derived from payments to the REvil group to mitigate the effects of ransomware attacks in the United States and elsewhere between April 2019 and June 2021.

Last week, the Cyber Unit of the National Police of Ukraine also announced that it had detained five members of a cybercrime gang that is thought to have helped launch attacks against more than 50 firm in Europe and the US.

The operation was carried out with the assistance of law enforcement officials from the UK and US and resulted in the arrest of an unidentified individual from the capital city of Kiev, along with his wife and three other associates.