Russia Detains REvil Ransomware Hackers at the Request of U.S.

·4-min read

(Bloomberg) -- The Biden administration praised the Kremlin for detaining members of a notorious ransomware gang at the request of the U.S. in a sweeping operation across Russia.

Most Read from Bloomberg

Law enforcement raided the homes of 14 members of the gang REvil and seized currencies worth nearly $7 million, cryptowallets and 20 luxury cars, according to a statement Friday by Russia’s Federal Security Service, known as FSB. Authorities in the U.S. have been informed that the group was shut down, it said.

REvil, short for Ransomware-Evil, has been among the most prolific cyber gangs and was accused of leading a flurry of attacks last year against companies and organizations, including one last May on plants in North America and Australia for meatpacker JBS SA, which eventually paid an $11 million ransom.

In a call Friday with reporters, a senior administration official said it welcomed the actions taken by the Kremlin. The U.S. and Russia had set up a experts group on ransomware in June and have been sharing information, including about attacks on American critical infrastructure, the official said.

Among those arrested was an individual responsible for the May hack of Colonial Pipeline Co., the official said. That attack led to panic buying of gasoline across the U.S. East Coast and a major U.S. government response.

The arrests mark a rare example of cooperation between Russia and the U.S. at a time when tensions are high over a mass buildup of Russian troops near the border with Ukraine. The U.S. is putting pressure on Europe to agree on potential sanctions amid concerns President Vladimir Putin could soon invade Ukraine, according to people familiar with the discussions. Russia denies it plans any invasion of its neighbor.

It also came as Ukraine sustained its worst cyberattack in four years, which it dozens of government websites. While Ukraine has previously accused Russia of waging major cyberattacks against its digital infrastructure, it wasn’t yet clear who was behind the recent intrusions.

The senior administration official said they didn’t believe the arrests were related to the events in Ukraine and that the White House would impose severe costs on Russia if it invades. Responding to a question, the official also said the White House expected the ransomware suspects to be prosecuted.

REvil was one of the most successful cyber gangs to conduct what’s known as “ransomware as a service.” In most cases, “affiliates” of REvil would break into companies, while the REvil gang provided the encryption software and customer support for a cut of the illicit proceeds.

REvil has received more than $200 million in ransom payments, paid in cryptocurrencies Bitcoin and Monero, according to the U.S. Treasury Department.

“REvil were probably the most brash and attention-seeking of the ransomware gangs, which may have contributed to their demise,” said Brett Callow, a threat analyst at the cybersecurity company Emsisoft. “Threat actors who acted as affiliates or were associated with the gang in other ways will, I suspect, be very concerned at this point.”

REvil, also known as Sodinokibi, was also accused of ransomware attacks on more than 20 Texas municipalities, in addition to the computer giant Acer Inc. and the software provider Kaseya. While the attack on Colonial Pipeline was linked to the ransomware group DarkSide, cybersecurity experts said there was overlap between that group and REvil.

Russia-linked ransomware groups were so disruptive that President Joe Biden pressed Putin to act during a call in July. REvil vanished from the dark web for nearly two months before reappearing in September.

The suspects won’t be extradited to the U.S., Russia’s Interfax news service reported, citing an unidentified person familiar with the case. The U.S. doesn’t have an extradition treaty with Russia.

The Biden administration has called it a priority to curb cyberattacks, particularly against critical infrastructure in the U.S. The REvil arrests are part of a series of disruptive actions taken against ransomware members by the U.S. and other nations, including the recovery of stolen funds and actions against cryptocurrency exchanges that allegedly enabled laundering of illicit funds.

“Although 2021 may have been the worst year from a cyberthreat perspective, we’ve had more notable wins by the good guys than in any previous year,” said Charles Carmakal, senior vice president at the cybersecurity firm Mandiant.

Most Read from Bloomberg Businessweek

©2022 Bloomberg L.P.

Our goal is to create a safe and engaging place for users to connect over interests and passions. In order to improve our community experience, we are temporarily suspending article commenting