Russia Takes Down REvil Hackers—as Ukraine Tensions Mount


For years the notorious Russia-based REvil criminal gang has attacked targets ruthlessly. Last May the group, along with its affiliates, disrupted production at meat supplier JBS, netting itself $11 million in ransom payment. Two months later it incapacitated thousands of businesses as it exploited a vulnerability in the update mechanism of IT services company Kaseya. REvil’s attacks have largely gone unpunished—until now.

In an unprecedented move that’s likely to send ripples through the inner circles of other Russia-based cybercriminal gangs, the country’s security agency has arrested 14 alleged members of REvil. The Federal Security Service (FSB) announced the arrests on Friday, according to reports from the independent Russian news agency Interfax

and a press statement from FSB officials. It’s the first significant action against ransomware gangs the Russian government has taken, after years of ignoring international pressure.

“For the longest time REvil, and specifically the lead operator Unknown, felt that they could operate with impunity. This arrest shows that even ransomware groups operating in Russia aren’t untouchable,” says Allan Liska, an analyst for the security firm Recorded Future who specializes in ransomware. “I think it shows that as long as ransomware groups are useful they are safe, but as soon as they are no longer useful they could wind up in jail.”

REvil dropped off the radar in July amid intense scrutiny, only to return a few months later. But the revival was brief, as an international law enforcement effort knocked the group

back offline in October.

During the arrests Friday, officials from FSB and the Department of the Ministry of Internal Affairs seized computer equipment, 20 luxury cars, and more than $5.5 million in rubles and cryptocurrency. Law enforcement also seized control of cryptocurrency wallets used by the suspects and recouped nearly $1.2 million in foreign cash troves.

The suspects have not been named, but the arrests took place in Moscow, St. Petersburg, and the Lipetsk region south of the Russian capital. Officials said the arrests were made for the “illegal turnover of means of payments,” and claim their actions have crippled REvil.

“The organized criminal community ceased to exist, the information infrastructure used for criminal purposes was neutralized,” a translated version of the FSB’s statement says. Reports from Russia claim the FSB took action following requests from the United States; in August president Joe Biden told Vladimir Putin that he must take action against cybercriminals operating in Russia.