(Bloomberg) -- Russia detained several members of the notorious REvil ransomware gang at the request of U.S. law enforcement in a sweeping operation around the country, according to the Federal Security Service, or FSB.
Law enforcement raided the homes of 14 members of REvil and seized currency worth nearly $7 million, cryptowallets and 20 premium-class cars, according to an FSB statement Friday. Authorities in the U.S. have been informed that the group was shut down, it said.
“REvil,” short for “Ransomware-Evil,” has been among the most prolific cyber gangs to hold data for ransom and was accused of leading a flurry of attacks last year against companies and organizations, including one last May on U.S. meatpacker JBS SA, which eventually paid an $11 million ransom.
The White House didn’t immediately respond to a request for comment, nor did the Russian Embassy in Washington.
The arrests mark a rare example of cooperation between Russia and the U.S. at a time when tensions are high over a mass buildup of Russian troops near the border with Ukraine. The U.S. is putting pressure on Europe to agree on potential sanctions amid concerns President Vladimir Putin could soon invade Ukraine, according to people familiar with the discussions. Russia denies it plans any invasion of its neighbor.
REvil was one of the most successful cyber gangs to conduct what’s known as “ransomware as a service.” In most cases, affiliates of REvil would break into companies, while the REvil gang provided the encryption software and customer support for a cut of the illicit proceeds.
“The ransomware was highly adaptable and the REvil team poured resources into regular improvements of the code, adding new features and fixing bugs,” said Allan Liska, senior threat analyst at the cybersecurity firm Recorded Future Inc.
REvil, also known as Sodinokibi, was also accused of ransomware attacks on more than 20 Texas municipalities, in addition to the computer giant Acer and the software provider Kaseya. While the May attack on Colonial Pipeline Co., which led to panic buying of gasoline across the U.S. East Coast and a major U.S. government response, was linked to the ransomware group DarkSide, cybersecurity experts said there was overlap between that group and REvil.
Russia-linked ransomware groups were so disruptive that President Joe Biden pressed Putin to act during a call in July. REvil vanished from the dark web for nearly two months before reappearing in September.
The suspects won’t be extradited to the U.S., Russia’s Interfax news service reported, citing an unidentified person familiar with the case.
“REvil is a direct descendant of the GandCrab ransomware group,” Liska said. “This is important because GandCrab was really the first ransomware group to offer a successful RaaS model, a model that has since been copied by so many other groups.”
©2022 Bloomberg L.P.
Advertisement