January 14, 2022

The Russian government said today it arrested 14 people accused of working for “REvil,” a particularly aggressive ransomware group that has extorted hundreds of millions of dollars from victim organizations. The Russian Federal Security Service (FSB) said the actions were taken in response to a request from U.S. officials, but many experts believe the crackdown is part of an effort to reduce tensions over Russian President Vladimir Putin’s decision to station 100,000 troops along the nation’s border with Ukraine.

The FSB headquarters at Lubyanka Square, Moscow. Image: Wikipedia.

The FSB said it arrested 14 REvil ransomware members, and searched more than two dozen addresses in Moscow, St. Petersburg, Leningrad and Lipetsk. As part of the raids, the FSB seized more than $600,000 US dollars, 426 million rubles (~$USD 5.5 million), 500,000 euros, and 20 “premium cars” purchased with funds obtained from cybercrime.

“The search activities were based on the appeal of the US authorities, who reported on the leader of the criminal community and his involvement in encroaching on the information resources of foreign high-tech companies by introducing malicious software, encrypting information and extorting money for its decryption,” the FSB said. “Representatives of the US competent authorities have been informed about the results of the operation.”

The FSB did not release the names of any of the individuals arrested, although a report from the Russian news agency TASS mentions two defendants: Roman Gennadyevich Muromsky, and Andrey Sergeevich Bessonov. Russian media outlet RIA Novosti released video footage from some of the raids:

REvil is widely thought to be a reincarnation of GandCrab, a Russian-language ransomware affiliate program that bragged of stealing more than $2 billion when it closed up shop in the summer of 2019. For roughly the next two years, REvil’s “Happy Blog” would churn out press releases naming and shaming dozens of new victims each week. A February 2021 analysis from researchers at IBM found the REvil gang earned more than $120 million in 2020 alone.

But all that changed last summer, when REvil associates working with another ransomware group — DarkSide — attacked Colonial Pipeline, causing fuel shortages and price spikes across the United States. Just months later, a multi-country law enforcement operation allowed investigators to hack into the REvil gang’s operations and force the group offline.

In November 2021, Europol announced it arrested seven REvil affliates who collectively made more than $230 million worth of ransom demands since 2019. At the same time, U.S. authorities unsealed two indictments against a pair of accused REvil cybercriminals, which referred to the men as “REvil Affiliate #22” and “REvil Affiliate #23.”

It is clear that U.S. authorities have known for some time the real names of REvil’s top captains and moneymakers. Last fall, President Biden told Putin that he expects Russia to act when the United States shares information on specific Russians involved in ransomware activity.

So why now? Russia has amassed approximately 100,000 troops along its southern border with Ukraine, and diplomatic efforts to defuse the situation have reportedly broken down. The Washington Post and other media outlets today report that the Biden administration has accused Moscow of sending saboteurs into Eastern Ukraine to stage an incident that could give Putin a pretext for ordering an invasion.

“The most interesting thing about these arrests is the timing,” said Kevin Breen, director of threat research at Immersive Labs. “For years, Russian Government policy on cybercriminals has been less than proactive to say the least. With Russia and the US currently at the diplomatic table, these arrests are likely part of a far wider, multi-layered, political negotiation.”

President Biden has warned that Russia can expect severe sanctions should it choose to invade Ukraine. But Putin in turn has said such sanctions could cause a complete break in diplomatic relations between the two countries.

Dmitri Alperovitch, co-founder of and former chief technology officer for the security firm CrowdStrike, called the REvil arrests in Russia “ransomware diplomacy.”

“This is Russian ransomware diplomacy,” Alperovitch said on Twitter. “It is a signal to the United States — if you don’t enact severe sanctions against us for invasion of Ukraine, we will continue to cooperate with you on ransomware investigations.”

The REvil arrests were announced as many government websites in Ukraine were defaced by hackers with an ominous message warning Ukrainians that their personal data was being uploaded to the Internet. “Be afraid and expect the worst,” the message warned.

Experts say there is good reason for Ukraine to be afraid. Ukraine has long been used as the testing grounds for Russian offensive hacking capabilities. State-backed Russian hackers have been blamed for the Dec. 23, 2015 cyberattack on Ukraine’s power grid that left 230,000 customers shivering in the dark.

The warning left behind on Ukrainian government websites that were defaced in the last 24 hours. The same statement is written in Ukrainian, Russian and Polish.

Russia also has been suspected of releasing NotPetya, a large-scale cyberattack initially aimed at Ukrainian businesses that ended up creating an extremely disruptive and expensive global malware outbreak.

Although there has been no clear attribution of these latest attacks to Russia, there is reason to suspect Russia’s hand, said David Salvo, deputy director of The Alliance for Securing Democracy.

“These are tried and true Russian tactics. Russia used cyber operations and information operations in the run-up to its invasion of Georgia in 2008. It has long waged massive cyberattacks against Ukrainian infrastructure, as well as information operations targeting Ukrainian soldiers and Ukrainian citizens. And it is completely unsurprising that it would use these tactics now when it is clear Moscow is looking for any pretext to invade Ukraine again and cast blame on the West in its typical cynical fashion.”


52 thoughts on “At Request of U.S., Russia Rounds Up 14 REvil Ransomware Affiliates

  1. Comrade Lenin

    There is that, and the fact that some nice hard confiscated cash goes into the coffers of Senor Putin. Good to have when you are staging an invasion. I’m betting those arrested hackers moved right from the paddy wagon into the Russian version of the NSA where they are now making even more money, just not for themselves.

    Reply
    1. Michael Goldberg

      Still the FSB wouldn’t be able to compete financially with our secret services, all that cocaine and weapon money that is pouring into CIA’s pockets. How much money we’ve made from invading Iraq? Our government is the most hypocritical political structure in the world. How many wars we’ve started since the 50’s?

      Reply
      1. Geenie

        So true! It’s USA’s interest that Ukraine joins NATO so obvious! Imposing sanctions on a country that is trying to maintain its geopolitical interests in Eastern Europe and keep USA away from it’s borders.

        Reply
  2. Bill Murphy

    Unfortunate. The Russians shouldn’t collaborate with the american empire to arrest these heroes, all americans everywhere are legitimate targets.

    Reply
  3. shu

    “Leningrad” is the old name of St Petersburg. Original article mentions “Moscow, St Petersburg, Moscow and Leningrad regions, …”.

    Reply
    1. Someone

      It is correct, funny enough – Moscow and StPetersburg are cities, but regions (oblasti) are still named after old toponyms, so St.-Petersburg is still a center of Leningrad region (Leningradskaya obl.).

      Reply
    2. Ping

      Click outside the St Petersburg city limits on Google Maps and you’ll see it is still Leningrad Oblast

      Reply
  4. Random Sysadmin

    This is the best news I’ve read in a long time! As a sysadmin these guys have shortened my life with the amount of stress I’ve had over ransomware. They can rot.

    Reply
  5. The Sunshine State

    All those $100 bills in that video!

    The great Gordon Gekko once said “greed , for lack of a better word is good ” I guess the cyber criminals in Russia are following that quote , and like the movie hero, are eventually ending up in prison.

    Reply
  6. Paul Westerberg

    It’s nice to have an administration that is not in Putie’s pocket anymore. He has stirred the pot for too long and in my opinion really helped divide our country. If Russia invaded Ukraine and the US hits them hard for sanctions, our private and public security infrastructure will be tested.

    Reply
    1. Hai Phan

      Dear Sir, why did the Russian not try to invade Ukraine when they had the administration in their pocket?

      Reply
      1. JamminJ

        Bold moves are usually reserved for the 2nd term of an American president. Putin may have thought they could repeat 2016, but US cyber was more prepared this time.
        With reelection looming, Putin would be foolish to harm Trump’s chances by invading Ukraine then. Especially after all that effort to help him into office.

        Reply
        1. Paul Westerberg

          Very good point. You have to wonder how much military or other intelligence the former administration handed over to Putin in order to get large debt forgiveness.

          Reply
  7. Myrddin Emrys

    It’s not worth overlooking the annexation of Ukraine just for this; I hope Biden doesn’t stop pressuring Russia to back off.

    Reply
    1. Eran Cook

      Why the world didn’t impose sanctions on US when we’ve invaded Iraq?

      Reply
      1. WK

        The second Iraq war was marketed as a) an attempt at removing dangerous chemical weapons that were in the hands of a power mad dictator and b) an extension of the operation to push the Iraqi invasion out of Kuwait. The chemical weapons thing was blatantly false, but US politicians and military pushed the narrative so hard that enough nations followed suit and the rest didn’t see a reasonable way to sanction the US or supporting nations.

        Reply
        1. an_n

          That’s pretty much entirely wrong. The “chemical weapons thing” was verified, Saddam had chemical weapons. Lots of them. He had used them so that threat was credible, but the vast majority of the weapons were not imminently ready to deploy, were buried, some amount transferred to Syria. That was not the major “failure” (or other) of intelligence in terms of assessing Iraq’s WMD armament. It was alleged that Saddam was proceeding towards atomic weapons based on a trend of dubious information, some of which was provided by good sources, some of which was provided by non-credible sources like “curveball” and some of which was contradicted by the UN inspection teams under Hans Blix. It was debated at length in terms of the risks of ignoring a terror threat that was known to have and use WMD’s that was potentially destabilizing not only to the region but to the entire world given the location. There was very little involving Kuwait in that decision process the second time per your “b”, (certainly compared to the stated predication for the first Iraq war), and there was speculation about a crash biological warfare program involving buried lab trucks. Saddam was not as close to atomic weapons as we had believed, but there was no definitive external evidence that he wasn’t either. Whether you agree with the US intelligence decision that he was a clear and present danger to US interests, Saddam Hussein was a menace. Our menace, if you recall, as we all but installed him to fight an also-enemy next door during the 1970’s and 80’s, to fight the religious hardliners that had rebuffed a US-installed coup d’etat there also under the Shah after the US/UK intelligence agencies overthrew Mossaddegh in 1953. So obviously it’s much more complicated.

          It ought be noted that none of this in any way absolves a Russian dictatorship’s actions on the world stage and is actively used as a go-to talking point of propaganda via “whattaboutism” to entirely pretend that “it’s only the United States” that takes issue with Russian APT state sponsored attacks, WMD deployments on foreign soil, assassinations of political rivals, threats to annex neighbors, or anything else. Every single time they trot this out as a defense of something Russia is doing, you can know that’s exactly what it’s intended to be : a smokescreen entirely. It has no tangible adjacent substance to add to this conversation. If we want to delve into exploring American adventurism, that’s fine. You don’t need Russia to be accused of something to do that, and in that context it’s pretty obvious what it is. Let’s try a little harder if we actually want answers and accountability on either side.

          Reply
          1. Chicago

            Throwing speculative facts doesn’t change the reality. USA is the biggest bully on the globe pushing forward the globalization and absorbing one half through an inflative capitalistic sponge and the other through murder. Lets not forget that Ukraine used to be a part of USSR for roughly 100 years, Russia’s actions are wrong but this is their way of protecting the nations interest. We bring up Russia’s actions only because it interferes with USA’s interests in Eastern Europe.

            Reply
            1. SeymourB

              Let’s not forget the Holodomor, where Russia essentially starved Ukraine by redirecting food that would have fed Ukrainians to Russia. And by pure coincidence this happened after Ukraine started talking about independence, about leaving the USSR. The USA has done very horrible things but it’s hypocritical at the very least to ignore all the horrific things Russia has done and continues to do. The last time the US invaded Mexico was over a hundred years ago, meanwhile the last time Russia invaded Ukraine was 2016. And Russian has yet to return the territory it stole. Russia is hardly innocent or even defensible in how it continues to treat Ukraine, a sovereign nation with every bit as much a right to exist as Russia.

              Reply
            2. an_n

              If you’ve never heard of China, perhaps that was true at one time.
              “actions are wrong but this is their way of protecting the nations interest.”
              A convenient excuse for anything at all. I’m not defending all US actions,
              the point is that bringing them up as whattaboutism is entirely obvious.

              “We bring up Russia’s actions only because it interferes with USA’s interests in Eastern Europe.”
              Yes of course, the US plans to annex Ukraine via NATO. You can tell. (/s)

              Reply
            3. Ping

              Nah, the biggest bully is Israel. The US just provides the disposable heroes

              Reply
          2. Concerned realist

            I think that some facts not stated here are more than enough to have had Saddam removed from power. Namely:
            – Saddam had the fourth largest army on Earth (why, for such a small nation?), and he was not afraid to use it as he showed on several occasions (anyone remember the USS Stark?).
            – He was interested in several WMD technologies and actively pursued them (ICBMs and other long range missiles, nuclear, biological and chemical weapons, super-long range cannons). He also used long-range missiles on regular occasion to fire pot shots at Israel.
            – He was – after being indoctrinated at a young age to it by his father – an ardent fan and proponent of Adolph Hitler and Nazi strategies (e.g. “Lebensraum”; the “final solution” – he actually used chemical weapons on his own people and strutted around on camera among the bodies afterward, smiling, pointing, and laughing at the poor dead souls).

            The man was insane and getting worse. Killing his own kin in cold blood also belongs up there on that list, not that it is any more or less heinous than the other murders he committed. The list of crimes he and his sons were allowed to commit come close to matching up with those of Stalin, Mao Zedong, Idi Amin, the Khmer Rouge, and others too numerous to mention here. And although he had a fair bit to go to meet the same level of devastation perpetrated by his hero Adolf, it is my belief Saddam was gunning for it.

            However, even though I do believe he needed to be taken down, I don’t think we should have stayed. It was a major screw up beyond belief of the US not having a plan of what to actually do after succeeding with the invasion that made the worst part of the entire episode. It’s like when the dog finally catches the mailman, and thinks “now what?” One of my favorite quotes is from Collin Powell, may he rest in peace, speaking to Bush 43 pre-invasion: “You break it, you bought it.”

            Reply
  8. Clausewitz4.0

    Thanks Krebs for the always good security update.

    As a professional in the information security field, I advise all engineers to produce a signed contract, where you are immune from prosecution, before engaging in any Red Team or pentest operation. I have a few of those signed with clients.

    Keep up the good work, always remembering, sometimes it is difficult to catch those hackers, and sometimes it is just impossible.

    Reply
    1. CC

      Just a quick note on the legalese. Prosecution is a function of the state, you can’t “contract” your way around it. But you can have the engagement letter/agreement both a) grant you permission for all the tasks; b) have an indemnity clause where the company defends you and covers any 3rd party liability costs.

      Reply
      1. Clausewitz4.0

        All my clients assume full responsability due to use and/or bad use of the software I produced to them. This is one of the clauses.

        All my clients assume liability in all spheres of the law – civil, criminal, proceedings, administrative. This is another of the clauses.

        All of my clients assume they can only use any software I program inside the country it was made, Brazil. This is another of the clauses.

        Reply
      2. security vet

        …we used to call it a “get out of jail free” card…

        …basically a hold harmless and the client agrees to defend you on their nickel

        Reply
  9. Paul W

    I presume the Russian invasion of Ukraine will happen before any extradition so this is basically just implying a possibility of future cooperation in return for ignoring political reality.

    If we don’t see a dramatic reduction in ransomware from Russian actors we can probably also assume that Putin told the REvil hackers to relax, they won’t be extradited so tell their friends to continue as before. Bring in that hard currency!

    Reply
  10. ReadandShare

    Sadly, I don’t see an angel among China, Russia or America. Pity the rest of the world.

    Reply
  11. J@x

    The message posted on the hacked Ukrainian websites is also politically motivated. It is allegedly a revenge and a warning for the slaughter of Poles in Wołnia, the slaughter was carried out by the UPA. It is about fueling hatred between Ukrainians and Poles. At the same time, it points to Poland as the initiator of the attacks. The syntax and grammar of the Polish version of the text indicates that the message was prepared by a Russian-speaking person.

    Reply
  12. Jakub Narębski

    Note that the Polish version of the warning left behind on defaced Ukrainian government websites looks like machine translation, or a direct word-for-word translation of Russian source – the style and the word choice is bad.

    Reply
  13. Catwhisperer

    There is another view that can be taken in the West about this. That the individuals “arrested” are actually being “conscripted” into the service of the Motherland due to their, um, unique talents and knowledge. There is nothing that will raise the civic minded patriotic spirit of a member of the proletariat like the alternative of a long prison term in some nether cold region of Siberia. Time will tell which it is…

    Reply
  14. c1ue

    Stick to cyber security, Mr Krebs
    In particular, no mention whatsoever of the Russia published requests to limit strategic escalation of dual capability missiles in Eastern Europe, or NATO expansion or any number of other issues.
    Everything above regarding “Russian intentions” comes straight from the US deep state.
    Not is Alperovitch necessarily a credible source given his Ukrainian plus Democrat party tieins.
    If you look at the big picture, it is laughable that Revil prosecution cooperation matters a hill of beans compared to what is really at stake.

    Reply
    1. Brian Fiori (AKA The Dean)

      This IS about cyber security. And yes, maybe there are bigger issues in the world, but are you suggesting we ignore all of them? Forget everyday crime because there are bigger issues? Seriously?

      Oh and your use of phrases like “the US deep state” does’t help make your point. It only serves to make you sound really, REALLY stupid.

      Reply
    2. BrianKrebs Post author

      Thanks for the laugh. As if ransomware wasn’t cybersecurity. As if the individuals responsible for inflicting so much damage on so many organizations weren’t cybercriminals. The prosecution of these individuals is a very big deal.

      Reply
  15. Ian Sheldon

    Don’t know if it was mentioned above, but St. Petersburg = Leningrad…

    Reply
    1. Mika

      It was mentioned by someone more knowledgeable than you or me. Leningrad means outside of the city. They wrote: “Moscow and St Petersburg are cities, but regions (oblasti) are still named after old toponyms, so St.-Petersburg is still a center of Leningrad region”.

      Reply
  16. Mahhn

    It is soooo nice to hear they were busted, and I am sure no matter what, they won’t get their money back.
    On the downside, the politics of crime (or crime of politics) is disgusting and I hope they “all” meet karma sooner than later.

    Reply
  17. Hai Phan

    On matter of geopolitics I’m afraid we are being victims of disinformation from both sides. Skeptics from each side are called trolls, and it’s quite easy to see them as victims of enemy propaganda. But the info you are fed are always lopsided, when stakes are this high. Unless we refuse to claim our side’s steadfast moral superiority, we allow those in power to give false pretext for escalation again and again, such as Iraq, which severely undermined our claim to be “the good guys”.

    Reply
    1. Brian Fiori (AKA The Dean)

      Employing ransomware to extort money is reprehensible no matter in what name or cause for which it is done. If it’s done in the USA, Canada, China, Russia—it doesn’t matter. It’s still theft. And in many cases puts human lives at risk.

      Why complicate something that is so simple by introducing political excuses?

      Reply
      1. Clausewitz4.0

        Because to complicate things is intrinsically part of the human nature.
        One could argue that if a jornalist installs or use hidden cameras inside an individual’s private property, he is commiting theft of IP ( intellectual property ) and human rights violation.
        But the jornalist can argue he is an “investigative” jornalist. But he still commited crimes.

        Reply
        1. Mahhn

          and how does that information (camera); prevent medical treatment, shut down fuel/food supply?
          All I see in your words is you trying to justify (personal?) criminal activity. Crocodile tears don’t fly.

          Reply
  18. Sam in Mellen

    Putin and his puppets have no credibility. They didn’t dismantle this without letting the state-connected members escape and they certainly aren’t going to discourage anything that disrupt’s Putin’s real or imagined enemies.

    Reply
  19. Jerry Werzinsky

    Russia will probably stage an event like the Nazis did in Poland and Japan did in Manchuria. Totalitarian nations lack creativity since they get away with lying to their citizens all the time.

    Reply
  20. R

    The complete raid video is fake, fabricated in typical Russian style. You all got fooled.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *