Russia Says It Arrested Members of Notorious ‘REvil’ Ransomware Gang

Russia’s Federal Security Service said on Friday that it arrested 14 alleged members of the ransomware gang responsible for the several major attacks in the last year.

In a press release, the FSB announced that it has mapped out the whole criminal organization behind REvil, a ransomware group known for hitting JBS, a large meat manufacturer, and the business software provider Kaseya. Security researchers believe REvil is connected to another group called DarkSide, which the FBI blamed for the hack on Colonial Pipeline hack the operator of the largest gas pipeline in the United States. 

Most notably, the FSB said that the “basis for the search activities was the appeal of the competent US authorities,” according to a Google translation of the release.

The authorities searched 25 residences of the 14 members, seizing 426 million Rubles (some in cryptocurrency), $600,000, and 500,000 euros, as well as computers, crypto wallets and 20 “premium cars,” according to the press release.

The U.S. Department of Justice did not immediately respond to a request for comment.

In the last year, the U.S. government has ramped up pressure both on ransomware gangs, and the Russian government, accusing it of willingly harboring what are effectively organized criminal organizations. 

It’s unclear who the 14 members of the REvil gang arrested today are, they could be the main operators and coders, or they could be lower level members. Either way, Russian government authorities arresting anyone allegedly involved in ransomware is a significant development. 

“I think it shows that ransomware groups aren’t safe in Russia after they have outlived their usefulness,” Allan Liska, a security researcher that tracks ransomware and works for Recorded Future, told Motherboard in an online chat. “This is great news. REvil caused a lot of damage to a lot of organizations around the world and having them face consequences for these attacks is important.”

Brett Callow, a security researcher at Emsisoft, which specializes in tracking ransomware, said that “the million dollar [ruble] question is whether Russia is actually getting serious about tackling the ransomware problem, or whether REvil - who had already ceased operations - were sacrificed in an attempt to alleviate international pressure. I suspect the latter, but time will tell.”

“Whatever the case, the incidents will certainly be concerning to other cybercriminals, and especially those who’d formerly partnered with REvil. On that basis alone, this is a win,” he told Motherboard in an email.

This is the latest hit on the ransomware gang. In October, an international government coalition hacked REvil and pushed it offline, Reuters reported at the time. 

In November, the US Department of Justice announced that it had indicted two Ukrainian nationals for deploying REvil’s ransomware, and that it had seized $6.1 million that the two had received as payments from victims. 

This story has been updated to include Brett Callow’s comments.

Correction: A previous version of this article stated that REvil was responsible for hitting Colonial Pipeline. The FBI, however, has accused another ransomware group called DarkSide of the Colonial Pipeline hack.   

Subscribe to our new cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.