A bad day in the office for the REvil ransomware gang, as Russia arrests 14 members

While data-wiping malware is hitting the PCs of multiple Ukrainian organisations, Russia has taken the surprising step of arresting 14 members of the REvil ransomware gang.

After years of Russia ignoring demands from other countries to take action against notorious ransomware gangs, it finally appears to have done something… using information supplied to it by the USA.

Russia’s FSB claims that aside from dismantling the ransomware-as-a-service (RAAS) gang also known as Sodinokibi, it has also seized over 426 million rubles (over US $5.5 million), and more than 20 “premium cars”.

In other words, a bad day in the office for REvil which previously plagued the likes of IT service firm Kaseya and its clients, the world’s biggest meat supplier JBS, web hosting provider Managed.com and others.

Sign up to our newsletter
Security news, advice, and tips.

Admittedly, it felt like the writing had been on the wall for REvil for some time, after reports last October that computer crime-fighting authorities had managed to hack REvil’s computer network infrastructure, and seized control of at least some of the group’s servers.

But for Russia to arrest REvil’s members and seize its money is a much worse move for the REvil gang than Western law enforcement agencies disrupting its activities.

A White House official told reporters that the arrests were welcomed by the Biden administration, and that “…we understand that one of the individuals who was arrested today was responsible for the attack against Colonial Pipeline last spring.”

I’d be surprised to see Russia to go one step further and extradite the suspects to face trial in the United States (where a $10 million reward has been offered.)

So I wonder why Russia has finally done something now against a notorious ransomware gang? It’s a move which is likely to be welcomed by much of the world, just when Russia is feared to be preparing to invade one of its neighbours – a country which itself has just come under cyber attack.

Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.

Graham Cluley •   @gcluley

Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, on Mastodon at @[email protected], or drop him an email.