In a surprising twist, the Russian government has announced the arrest of multiple members of REvil—the prominent ransomware gang behind numerous large-scale attacks on U.S. targets.
The Federal Security Service (FSB), Russia’s domestic intelligence agency, said in a press release Friday that it had recently conducted raids at 25 residences across Moscow, Leningrad, Lipetsk, and St. Petersburg, where 14 members of the cybercriminal gang were arrested. During the raids, authorities seized more than 426 million rubles, $600,000, and €500,000, along with 20 luxury vehicles and hordes of computer equipment.
While the identities of the hackers have not been made public at this time, video provided by the FSB shows officers chasing and handcuffing various individuals, while also rifling through apartments. The Russian government further noted that it had apprehended the criminals at the behest of the United States. The FSB press release reads (translated from Russian via Google):
“The search activities were based on the appeal of the US competent authorities, who reported on the leader of the criminal community and his involvement in encroaching on the information resources of foreign high-tech companies by introducing malicious software, encrypting information and extorting money for its decryption...”
REvil has been high on America’s shit-list ever since it carried out the massive Kaseya ransomware attack last summer. The attack used malicious software updates in the tech firm’s popular IT products to infect upwards of 1,500 different companies worldwide—including many in the U.S. The incident spurred emergency action by the White House, a $10 million reward for information leading to the gang’s arrest, and calls for a better federal strategy to combat cybercrime.
But the gang has also allegedly been involved in attacks on hardware manufacturer Acer, celebrity law firm Grubman Shire Meiselas & Sacks (they reportedly leaked 2.4 gigabytes of Lady Gaga’s legal documents), and Quanta, a prominent computer parts supplier that works for Apple, among other big names. It also conducted a disruptive ransomware attack on meat-processing giant JBS Foods last May, temporarily forcing the company to shut down a number of its food production sites. All in all, they’ve caused quite a lot of damage.
U.S. authorities have been calling on Russia to crack down on cybercriminal gangs operating within the nation’s borders for quite some time. A series of meetings between Russian President Vladimir Putin and U.S. President Joe Biden last year showed the two leaders agreeing that more should be done to stop ransomware attacks—though Russia hasn’t really done anything until just now.
Still, it’s a potentially promising development. If Russia is amenable to arresting this gang, that might signal a more compliant attitude when it comes to going after the numerous other cybercriminal syndicates operating out of its territories.
Some commentators have noted the odd timing of the FSB’s operation, however. The U.S. and Russia are currently experiencing severe tensions over the political situation in Ukraine—where some U.S. commentators have alleged that Russia is preparing for a military invasion. As such, the possibility that Russia has arrested REvil as a kind of bargaining tactic with the U.S. seems plausible to some. “I think being concerned about Russia’s ulterior motives is perfectly reasonable,” John Hultquist, vice president of threat intelligence at cyber firm Mandiant, recently told WIRED.
Ukraine also recently suffered a cyberattack that defaced government websites, though there has been no official attribution as to who is responsible.