Russia arrests REvil ransomware gang members, seizes $ 6.6 million

Russia arrests REvil ransomware gang members, seizes $ 6.6 million

The Russian Federal Federal Security Service (FSB) says they closed the REvil ransomware gang after U.S. authorities reported the leader.

More than a dozen members of the gang have been arrested after police raids at 25 addresses, the Russian security agency said in a press release today.

“The basis for the search was the appeal of the competent US authorities, who reported on the leader of the criminal community and his involvement in interfering with the information resources of foreign high-tech companies by introducing malicious software, encrypting information and extorting money for its decryption” – Russian Federation security service

Russian authorities have detained 14 people suspected of being part of the REvil ransomware-as-a-service (RaaS) operation and confiscated cryptocurrency and fiat money as follows:

  • more than 426 million rubles (about $ 5.5 million)
  • 600 thousand US dollars
  • 500 thousand euros (approx. $ 570,000)

Russian authorities also confiscated 20 luxury cars purchased with money from cyber attacks, computer equipment and cryptocurrency wallets used to develop and maintain RaaS operations.

Footage from the raids available below shows how officers detained the suspected and confiscated money and electronics:

The raids took place at addresses in Moscow, St. Petersburg. Petersburg, Leningrad and Lipetsk regions.

The FSB says it was capable of that identify all members of the REvil gang, documented their illegal activities and establishes their participation in “illegal circulation of means of payment.”

In addition to creating the file-encrypting malware and implementing it on corporate networks across the globe, REvil members were also involved in stealing money from foreign nationals’ bank accounts.

“As a result of the joint actions of the FSB and Russia’s Interior Ministry, the organized criminal community ceased to exist, the information infrastructure used for criminal purposes was neutralized” Russia’s Federal Security Service

The FSB says it informed the representatives of the competent US authorities about the results of the operation.

REvil ransomware crumbles

REvil ransomware (aka Sodin and Sodinokibi) emerged in April 2019 from the void left after the shutdown of the GandCrab operation.

In less than a year, the gang became the most productive ransomware group asking for some of the highest ransom from their victims. It rose to prominence in August 2019 when it hit several local administrations in Texas and demanded a collective ransom of $ 2.5 million – the highest to date.

Soon it became the norm to ask for huge amounts of money from large organizations and get paid. In one year, the gang claimed a profit of over $ 100 million.

REvil’s most talked about hit was the Kaseya supply chain attack, which paralyzed about 1,500 companies worldwide. The ransom requirement to decrypt all organizations was $ 70 million in Bitcoin.

This attack prompted a stern response from the United States, in which President Biden asked President Putin to intervene against cybercriminals living in Russia; otherwise the United States would act on its own.

The gang was also the first to have a representative who went by the forum name UNKN initially, and later switched to Unknown, which promoted the REvil RaaS business in the Russian-speaking criminal hacker community.

This publicly-turned-representative disappeared shortly after the Kaseya attack (some assumed that Unknown was arrested), and pressure from international law enforcement increased.

After the Kaseya attack, the REvil operation took a break and resumed the operation two months later. What the operators did not know was that law enforcement had broken their servers before the break, and when they restored the systems from backups, the criminals also restored machines controlled by law enforcement.

The FSB’s action against REvil comes after US and international law enforcement agencies joined forces to identify and arrest members of ransomware operations.

As a result, in November 2021, the United States announced that it had arrested a REvil ransomware affiliate (Ukrainian citizen Yaroslav Vasinskyi) responsible for the Kaseya attack and seized over $ 6 million from another Revil partner (Russian citizen Yevgeniy Polyanin). ), which is believed to have inserted approx. 3,000 ransomware attacks.

That same month, Romanian authorities arrested two REvil ransomware affiliates responsible for 5,000 attacks, bringing them € 500,000 from ransoms collected.

Update [January 14, 2022, 13:26 EST]: Added background information about the REvil ransomware gang and the arrests of its affiliates

Give a Comment