Ride the Lightning

Russians Say They Shut Down REvil at the Request of the U.S.

January 18, 2022

Bleeping Computer reported on January 14 that the Federal Security Service (FSB) of the Russian Federation claimed they shut down the REvil ransomware gang after U.S. authorities reported on the leader.

Following police raids at 25 addresses, 14 members of the gang were arrested.

The FSB said: “The basis for the search activities was the appeal of the competent US authorities, who reported on the leader of the criminal community and his involvement in encroachments on the information resources of foreign high-tech companies by introducing malicious software, encrypting information and extorting money for its decryption.”

Russian authorities confiscated cryptocurrency and fiat money as follows:

• More than 426 million rubles (approximately $5.5 million)
• 600 thousand US dollars
• 500 thousand euros (approximately $570,000)

Russian authorities also confiscated 20 luxury cars purchased with money obtained from cyberattacks, computer equipment and cryptocurrency wallets used to develop and maintain the RaaS operation.

The FSB said that it was able to identify all members of the REvil gang, documented their illegal activities, and establish their participation in “illegal circulation of means of payment.”

It also said: “As a result of the joint actions of the FSB and the Ministry of Internal Affairs of Russia, the organized criminal community ceased to exist, the information infrastructure used for criminal purposes was neutralized.”

In a single year, the gang claimed profits in excess of $100 million.

REvil’s most publicized gambit was the Kaseya supply-chain attack that crippled approximately 1,500 businesses globally. The ransom demand to decrypt all organizations was $70 million in Bitcoin.

This attack prompted a firm response from the U.S., with President Biden asking President Putin to take action against cybercriminals residing in Russia or face the U.S. taking action on its own.

After the Kaseya attack, the REvil operation disappeared and then resumed operations two months later. The operators did not know was that law enforcement had breached their servers before the hiatus. When they restored the systems from backups, the gang members also restored machines controlled by law enforcement.

 KrebsonSecurity also has a post on this story. Krebs believes, as I do, that the sudden cooperation of the Russians may be related to tensions over the Ukraine, where 100,000 Russian troops are now stationed. For years, the Russians left ransomware gang untouched, so the sudden cooperation may be a diplomatic act as the U.S. and Russia are at odds over the Russia’s military threat to the Ukraine.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225, Fairfax, VA 22030
Email: Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson