The Federal Security Service (FSB) of the Russian Federation says they shut down the REvil ransomware gang after US authorities reported on the leader.
More than a dozen members of the gang have been arrested after police raids at 25 addresses, the Russian security agency said in a press release today.
Russian authorities have arrested 14 people suspected of being part of ransomware-as-a-service (RaaS) operation REvil and confiscated cryptocurrency and fiat money as follows:
- more than 426 million rubles (about 5.5 million US dollars)
- 500,000 euros (approx. $570,000)
Russian authorities also seized 20 luxury cars purchased with cyberattack funds, computer equipment and cryptocurrency wallets used to develop and maintain RaaS operations.
Footage from the raids, available below, shows officers arresting suspects and confiscating money and electronics:
The raids took place at addresses in the Moscow, St. Petersburg, Leningrad and Lipetsk regions.
the Says FSB that it could Identify all members of the REvil gang, documented their illegal activities and established their involvement in the “illegal circulation of means of payment”.
Aside from creating the file-encrypting malware and deploying it in corporate networks around the world, REvil members have also been involved in stealing money from foreign citizens’ bank accounts.
The FSB announced that it had informed the representatives of the responsible US authorities about the results of the operation.
REvil ransomware is crumbling
In less than a year, the gang became the most prolific ransomware group, demanding some of the largest ransoms from their victims. It rose to shame in August 2019 when it met several local governments in Texas and demanded a collective ransom of $2.5 million—the highest to date.
REvil’s most famous hit was the Attack on Kaseya’s supply chain which paralyzed around 1,500 companies around the world. The ransom note to decrypt all organizations was 70 million dollars at bitcoin.
This attack prompted a strict reply from USA, with President Biden calling on President Putin to take action against cybercriminals living in Russia; otherwise the US would act itself.
The gang was also the first to have a representative, first going under the forum name UNKN, later moving to Unknown, promoting the REvil RaaS business in the Russian-speaking criminal hacker community.
This public representative disappeared shortly after the Kaseya attack (some believed Unknown was arrested) and pressure from international law enforcement agencies mounted.
After the Kaseya attack, the REvil operation took a break and then operations resumed two months later. What the operators didn’t know was that law enforcement had breached their servers before the disruption, and when they restored the systems from backups, the criminals also restored the machines controlled by law enforcement.
The FSB’s action against REvil comes after US and international law enforcement organizations joined forces to identify and arrest members of ransomware operations.
Consequently the US Announced November 2021 that it had arrested a REvil ransomware affiliate responsible for the Kaseya attack (Ukrainian national Yaroslav Vasinskyi) and seized over $6 million from another Revil partner (Russian national Yevgeniy Polyanin), who is believed to have has carried out about 3,000 ransomware attacks.
In the same month, authorities in Romania arrested two REvil ransomware partners responsible for 5,000 attacks that earned them €500,000 in ransom money collected.
To update [January 14, 2022, 13:26 EST]: Added background information about the REvil ransomware gang and arrests of their partners
#Russia #Arrests #REvil #Ransomware #Gang #Members #Seizes #66M