Russia Takes Down REvil Hackers as Ukraine Tensions Mount

Over a dozen alleged members of the notorious ransomware group have been arrested, but the Kremlin's critics are wary of the underlying motivation.
russian flag
The arrests could prove to be a watershed moment in the urgent international effort to tackle ransomware.Photograph: Oleg Elkov/Getty Images

For years the notorious Russia-based REvil criminal gang has attacked targets ruthlessly. Last May the group, along with its affiliates, disrupted production at meat supplier JBS, netting itself $11 million in ransom payment. Two months later it incapacitated thousands of businesses as it exploited a vulnerability in the update mechanism of IT services company Kaseya. REvil’s attacks have largely gone unpunished—until now.

In an unprecedented move that’s likely to send ripples through the inner circles of other Russia-based cybercriminal gangs, the country’s security agency has arrested 14 alleged members of REvil. The Federal Security Service (FSB) announced the arrests on Friday, according to reports from the independent Russian news agency Interfax and a press statement from FSB officials. It’s the first significant action against ransomware gangs the Russian government has taken, after years of ignoring international pressure.

“For the longest time REvil, and specifically the lead operator Unknown, felt that they could operate with impunity. This arrest shows that even ransomware groups operating in Russia aren’t untouchable,” says Allan Liska, an analyst for the security firm Recorded Future who specializes in ransomware. “I think it shows that as long as ransomware groups are useful they are safe, but as soon as they are no longer useful they could wind up in jail.”

REvil dropped off the radar in July amid intense scrutiny, only to return a few months later. But the revival was brief, as an international law enforcement effort knocked the group back offline in October.

During the arrests Friday, officials from FSB and the Department of the Ministry of Internal Affairs seized computer equipment, 20 luxury cars, and more than $5.5 million in rubles and cryptocurrency. Law enforcement also seized control of cryptocurrency wallets used by the suspects and recouped nearly $1.2 million in foreign cash troves.

The suspects have not been named, but the arrests took place in Moscow, St. Petersburg, and the Lipetsk region south of the Russian capital. Officials said the arrests were made for the “illegal turnover of means of payments,” and claim their actions have crippled REvil.

“The organized criminal community ceased to exist, the information infrastructure used for criminal purposes was neutralized,” a translated version of the FSB’s statement says. Reports from Russia claim the FSB took action following requests from the United States; in August president Joe Biden told Vladimir Putin that he must take action against cybercriminals operating in Russia.

The arrests could prove to be a watershed moment in the urgent international effort to tackle ransomware, given that Russian cooperation has been a crucial missing component of the global response. But the arrests also come at a time when Russia’s deployment of troops to Ukraine’s border has intensified tensions in the region. Three rounds of talks between Russia, the US, and NATO over the fate of Ukraine have failed to deescalate the situation. And as the FSB announced the REvil arrests Friday, more than a dozen Ukrainian government websites were defaced and hit with DDoS attacks, though the perpetrator of the attacks is still unknown.

“I think being concerned about Russia’s ulterior motives [for conducting the REvil arrests] is perfectly reasonable,” says John Hultquist, vice president of threat intelligence at the security firm Mandiant. “This essentially is a feather in their cap and you could definitely take a cynical view of it and think that it’s all signaling. But I think ultimately it’s still good news. The actors needed to know that if you are harassing thousands of people and stealing hundreds of millions of dollars you can’t just ride off into the sunset.”

It isn’t the first time an alleged member of REvil has faced action from law enforcement. In November, 22-year-old Ukrainian national Yaroslav Vasinskyi was arrested in Poland and accused of conducting the Kaseya attack. Vasinskyi allegedly abused a Kaseya product to deploy REvil code that then spread the group's ransomware via Kaseya’s networks, according to a Department of Justice indictment. Yevgeniy Polyanin, a 28-year-old Russian national, was also charged with deploying REvil’s ransomware—he’s accused of conducting 3,000 ransomware attacks—and had $6.1 million of his assets seized.

Law enforcement agencies around the world, including in Ukraine, have increasingly been working together in efforts to tackle ransomware actors. Since February 2021, Europol has arrested five hackers linked to REvil and says 17 countries have been working on its investigations. These include the US, UK, France, Germany, and Australia.

Without cooperation from Russia, though, officials have had some hard limits on which gangs they could effectively target. After hitting a zenith—or nadir—with a series of disruptive and destructive attacks in the summer of 2021, REvil mostly went dark after international law enforcement compromised its infrastructure. Other Russia-based groups, though, like the notorious DarkSide gang and its successor BlackMatter, have continued their targeting, at least for now.

“The big question, I suppose, is does this represent a real shift in Russia’s intentions to deal with this problem, or has REvil simply been sacrificed in an attempt to alleviate some international pressure?” says Brett Callow, a threat analyst at the antivirus company Emsisoft. “I would suspect the latter.”

Callow and others emphasize, though, that while it will take time to learn more about the Russian government’s approach, seeing so many REvil operators apprehended should provide some amount of deterrent effect. And in an interconnected industry like the ransomware market, every disruption is significant.

“I agree there must be a motivation other than ‘the US asked us nicely,’ but regardless, this will further disrupt the ransomware economy, at least in the short term,” says incident responder and former NSA hacker Jake Williams.

In the long term, several ransomware groups operating out of Russia remain highly active. The REvil takedown is a sign of progress, but what really matters will be the Kremlin’s appetite for pursuing those other gangs as well.


More Great WIRED Stories