Cybercrime , Cybercrime as-a-service , Fraud Management & Cybercrime

Russia Arrests 14 Suspected REvil Ransomware Group Members

Russian Authorities Say They Acted on Intelligence Shared by Biden Administration
Russia Arrests 14 Suspected REvil Ransomware Group Members
REvil regularly attempted to "name and shame" victims that didn't quickly meet its ransom demands, via its "Happy Blog" data leak site.

Russian authorities have arrested 14 individuals suspected of being part of the notorious REvil, aka Sodinokibi, ransomware operation.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

Russia's Federal Security Agency, the FSB, first reported the arrests Friday, saying they'd taken place in five cities: Moscow and St. Petersburg, as well as regions around Moscow, Leningrad and Lipetsk.

Authorities say they acted on information shared by U.S. law enforcement agencies, including the identity of the alleged ringleader of the REvil operation, as well as shared evidence about the group's use of ransomware to crypto-lock victims' systems, followed by attempts to extort them into paying a ransom to decrypt the data.

The FSB says it used those materials to begin its own investigation, and gathered evidence showing that "to implement their criminal plan, the suspects developed malicious software, organized the theft of funds from the bank accounts of foreign citizens and cashed out these funds, including by purchasing expensive goods on the internet."

Authorities have not disclosed the suspects' identity, when they were arrested or if they have been released on bail.

The FSB says that U.S. law enforcement representatives "have been informed about the results of the operation." The U.S. Department of Justice didn't immediately respond to a request for comment. But White House officials last September had confirmed that they'd been sharing intelligence on leading Russia-based ransomware-using suspects with Moscow.

Seized: Cash, Cryptocurrency, Cars

The FSB says that as part of its operation, agents searched 25 addresses and seized more than 426 million rubles (over $5.6 million), some of it in cryptocurrency, as well as more than $600,000 in U.S. cash, plus 500,000 euros ($572,000). In addition, law enforcement agents also seized "computer equipment, crypto wallets used to commit crimes, 20 premium cars purchased with money obtained from crime."

Video of REvil suspects being apprehended and their residences searched (Source: FSB)

The FSB says the suspects have all been charged under part 2 of Article 187 of Russia's criminal code, which prohibits the making or sale of counterfeit credit or debit cards, or other payment documents, as well as the illicit control of money, or money laundering. Part 2 specifically prohibits such acts when committed by an organized group, and carries a prison sentence of up to five years, or "deprivation of liberty" for up to seven years, as well as a fine of up to 1 million rubles ($13,000) or else up to five years' worth of salary.

The FSB says the infrastructure being used by REvil has also been dismantled.

If members of REvil have been arrested by Russian authorities, it would help explain the group's absence from the cybercrime scene in recent months.

REvil first appeared in April 2019 as a spinoff of GandCrab ransomware. Both of them relied heavily on affiliates. In this so-called ransomware-as-a-service model, the operators of REvil would develop the crypto-locking malware, then provide it on demand via a portal to affiliates. For every victim an affiliated encrypted, who paid a ransom, REvil's agreement was typically that the affiliate would receive 60% of the ransom, rising to 70% after three victims paid.

This RaaS model helped drive record ransomware profits for criminals, backed in part by groups such as REvil building in additional capabilities, such as the ability to target managed service providers, infect all of their customers, and then demand a ransom payment from each of those customers, in return for a decryption key that would only work for that customer.

REvil was also a relatively early adopter of so-called double extortion tactics, in which attackers demanded a ransom not only for a decryptor, but also in return for not leaking stolen data.

REvil Overreached

Arguably, however, REvil and some other ransomware operations overreached, hastening their demise.

Among many other attacks, in May 2021, the DarkSide operation disrupted Colonial Pipeline, which provides fuel for 45% of the U.S. East Coast, sparking panic buying of gasoline. Shortly thereafter, REvil hit the world's largest meat processor, JBS, which has operations in the U.S., and then U.S. managed service provider software developer Kaseya. REvil ransomware was then distributed via MSPs who use Kaseya's software, enabling REvil to amass thousands of victims, and demand a ransom from each.

Those disruptions helped drive the Biden administration to classify ransomware as a national security threat. Meeting last June at a summit in Geneva, Biden demanded that Russian President Vladimir Putin curb criminals launching online attacks against the U.S. from inside Russia.

In July, meanwhile, REvil went dark, apparently after being disrupted by a multinational operation involving military, law enforcement and intelligence agencies in the U.S. and one or more allies. At that time, core administrator UNKN - aka Unknown - also disappeared, leading some members of REvil to say they suspected he might be dead.

The U.S. State Department in November 2021 announced an up to $10 million reward for information leading to the "location, arrest, and/or conviction" of REvil participants.

Subsequently, a remaining administrator attempted to restore REvil's Tor-based infrastructure, but made some basic errors that allowed a third party - likely law enforcement - to take control of the operation's "Happy Blog" data-leak site as well as payment page. By last October, REvil's operations again appeared to have gone dark.

Last November, the U.S. State Department announced a reward of up to $10 million "for information leading to the identification or location of any individual(s) who hold a key leadership position in the Sodinokibi (also known as REvil) ransomware variant transnational organized crime group."

A reward of up to $5 million is being offered as well, "for information leading to the arrest and/or conviction in any country of any individual conspiring to participate in or attempting to participate in a Sodinokibi ransomware incident."

Ransomware Crackdown in Russia?

Last summer, the White House said it wanted to see Moscow cracking down on ransomware within six months, or else it reserved the right to use U.S. military and intelligence resources to disrupt the online networks used by criminals directly.

With the news of the arrest of alleged REvil members, it appears that the Russian government has been moving to do just that.

What remains to be seen, however, is whether the suspects turn out to be core members of REvil, or even major affiliates, or whether they're just lower-level money mules or developers. Likewise, if the suspects are found guilty, it's not clear yet what specific penalties they might face.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.