The Federal Security Service (FSB) of the Russian Federation has announced 14 individuals suspected of being part of the notorious REvil ransomware operation have been arrested in coordinated raids on 25 properties in the Leningrad, Lipetsk, Moscow, and St. Petersburg regions of Russia.
The FSB said the arrests were made after information was passed to the FSB from U.S. authorities about the leader of the REvil operation, along with a formal request to take action. “The basis for the search activities was the appeal of the competent US authorities, who reported on the leader of the criminal community and his involvement in encroachments on the information resources of foreign high-tech companies by introducing malicious software, encrypting information, and extorting money for its decryption,” said the FSB in a statement about the arrests.
More than $5.6 million in cash was seized in the raids – 426 million rubles ($5.5 million), $600,000 in U.S. dollars, and €500,000 ($570,000) in euros – in addition to cryptocurrency wallets and 20 luxury vehicles, which are believed to have been purchased using the profits from the REvil ransomware attacks. Computer equipment was also seized, and the FSB claims the gang’s infrastructure has been neutralized.
The FSB said it was able to identify all members of the REvil gang and has documented evidence of their illegal activities, including the creation of file-encrypting malware, use of that malware in attacks on enterprise networks around the world, and the theft of money from the bank accounts of foreign citizens. The 14 individuals have been charged with crimes under part 2 of Art. 187 “Illegal turnover of means of payments” of the Criminal Code of Russia.
Two months ago, the U.S. Department of Justice charged a 22-year old Ukrainian citizen for his role in orchestrating the ransomware attack on Kaseya, and last year 7 REvil gang members were arrested in an international law enforcement operation coordinated by Europol and Eurojust. President Biden has been putting pressure on the Russian President to take action against ransomware gangs operating out of Russia following the ransomware attacks on JBS Food and Colonial Pipeline, but until now little action appeared to have been taken.
It remains to be seen if this was a one-off law enforcement operation or if if will be part of a bigger crackdown on ransomware gangs operating in the country.