Ransomware Group REvil Dismantled in Raids, Russia Says

Moscow said the ransomware group REvil “ceased to exist” after raids and arrests. It is not clear if the operation will ease tensions with Washington.,

Moscow said the ransomware group REvil “ceased to exist” after raids and arrests. It is not clear if the operation will ease tensions with Washington.

MOSCOW — Russia’s main security agency said on Friday that at the request of the United States government it had dismantled REvil, one of the most aggressive ransomware crime groups attacking Western targets, and arrested some of its members.

The agency, known as the F.S.B., said “the organized crime gang ceased to exist” after a sweeping operation that was carried out in 25 locations across five Russian regions. The raids followed multiple requests by the Biden administration for the Kremlin to help shut down such groups.

The arrests were announced on the same day that the U.S. government accused Russia of sending saboteurs into Ukraine to create a pretext for invasion, and that hackers shut down dozens of Ukraine’s government websites — an attack that Ukrainian officials suggested had originated in Russia.

A senior Biden administration official said the Russian sweep of REvil had no bearing on the building tension over security in Europe and the fate of Ukraine, with Russia massing troops near Ukraine’s borders and demanding that NATO pull back in Eastern Europe. But it is not clear whether the Kremlin sees this rare example of cooperation between the two countries as unrelated to Ukraine.

The official, speaking on condition of anonymity to brief reporters, said the administration believed one of those arrested on Friday was involved in a ransomware hack last year that shut down the Colonial Pipeline, a major artery of fuel for the eastern United States. That attack was attributed to a group called DarkSide that is also believed to operate in Russia and to have ties to REvil.

In July, President Biden warned President Vladimir V. Putin of Russia that the country could face grave consequences if it did not act swiftly on neutralizing groups like REvil. In November, the State Department announced it was offering a reward of up to $10 million for information about REvil’s leaders.

Image

Andrei Bessonov, detained on suspicion of the illegal circulation of means of payment as a member of the REvil hacking group, during a court hearing in Moscow, on Friday.Credit…Tverskoy District Court, via Reuters

Image

Roman Muromsky, detained on suspicion of the illegal circulation of means of payment as a member of the REvil hacking group, during a court hearing in Moscow, on Friday.Credit…Tverskoy District Court, via Reuters

Later on Friday, a court in Moscow placed in custody two members of the group, identified by Interfax, a Russian news agency, as Andrei Bessonov and Roman Muromsky. Russian authorities did not describe the men’s roles in REvil, or say what evidence linked them to the group.

The F.S.B. did not say how many people it had arrested, or whether they included the group’s leaders. It remains to be seen whether the operation really spells the end of REvil; in the past, such groups have reformed under new names.

U.S. officials have said that the Kremlin could shut down hacker groups like REvil, but tolerates or even encourages them, as long as their targets are outside of Russia.

In July, following President Biden’s ultimatum, REvil went offline, fueling speculations about whether the Kremlin had ordered the group to go quiet, or the United States or its allies had managed to disrupt its operations, or the group itself had decided to go underground, fearing that the heat had become too intense.

However, it resurfaced two months later, reactivating a portal victims use to make payments. In October, it was again forced offline, temporarily, by a counter-hacking effort mounted by the governments of several countries, including the United States.

REvil, short for “ransomware evil” has been one of the most notorious ransomware hacking groups sought by United States law enforcement. Ransomware groups hack into a victim’s computer system and encrypt its data, effectively locking out the owners, and extort them for money — sometimes millions of dollars, paid in cryptocurrency — in return for reversing the encryption.

What to Know About Ransomware Attacks

Card 1 of 5

What are ransomware attacks? This form of cybercrime involves hackers breaking into computer networks and locking digital information until the victim pays for its release. Recent high-profile attacks have cast a spotlight on this rapidly expanding criminal industry, which is based primarily in Russia.

Why are they becoming more common? Experts say ransomware is attractive to criminals because the attacks take place mostly anonymously online, minimizing the chances of getting caught. The Treasury Department has estimated that Americans have paid $1.6 billion in ransoms since 2011.

Is there any connection to the rise of cryptocurrencies? The criminal industry’s growth has been abetted by cryptocurrencies, like Bitcoin, which allow hackers to transact with victims anonymously, though experts see virtual currency exchanges as a weak point for ransomware gangs.

What is being done about these attacks? The U.S. military has taken offensive measures against ransomware groups, and the Biden administration has taken legal and economic action. Recent attacks have propelled ransomware to the top of President Biden’s national security agenda.

Why is the government getting involved? The attacks, which were mostly directed at individuals a few years ago, have dramatically escalated as hackers have begun targeting critical infrastructure in the U.S., including a major gasoline pipeline and meat processing plants.

U.S. intelligence agencies identified REvil as responsible for the attack on one of America’s largest beef producers, JBS, last June, forcing the shutdown of nine beef plants. In the end, JBS said it had paid an $11 million ransom in Bitcoin. The operator of the Colonial Pipeline paid almost $5 million in Bitcoin.

REvil also took credit for what was described as the biggest ransomware hack ever in July, affecting up to 1,500 businesses around the world.

The organization boasted about its attacks on its site — called “Happy Blog” — on the dark web, where it listed some of its victims and earnings from its digital extortion schemes.

In September, a report by the cybersecurity company Recorded Future said that Russian intelligence officials have longstanding ties to cybercrime groups. “In some cases, it is almost certain that the intelligence services maintain an established and systematic relationship with criminal threat actors,” it said.

On Friday, the F.S.B. said in a statement that it had informed the U.S. government of the sweep against REvil, including searches of the residences of 14 group members, adding that it had seized more than $5.5 million in rubles, dollars, euros and cryptocurrencies, as well as 20 luxury cars.

REvil, it said, had “developed malware, organized the theft of funds from bank accounts of foreign citizens, and also cashed them out, including by buying expensive goods online.”

Footage of the arrests, aired by Russian news channels, showed agents breaking into apartments and pushing young men to the floor and handcuffing them. The video also showed large piles of dollars and rubles being seized and counted, and masked agents looking through confiscated computers.

David E. Sanger contributed reporting from Washington.

Leave a Reply