REvil Ransomware Hackers Arrested By Russian Authorities

Russian officials said they seized more than 426 million Rubles (roughly $5.5 million), $600,000 of American currency, 500,000 Euros (roughly $570,000), and 20 luxury cars from the homes of REvil gang members.

The infamous REvil ransomware operation has been “neutralized” after Russian authorities raided and arrested more than a dozen of the gang’s members.

The Russian domestic intelligence service (FSB) announced Friday that raids took place at 25 addresses across the Moscow, St. Petersburg, Leningrad, and Lipetsk regions belonging to 14 alleged members of REvil. The search was prompted by a report by the U.S. government on the REvil leader, and the FSB said American authorities were informed about the results of the operation against REvil.

“The basis for the search activities was the appeal of the competent US authorities, who reported on the leader of the criminal community and his involvement in encroachments on the information resources of foreign high-tech companies by introducing malicious software, encrypting information and extorting money for its decryption,” the FSB announced Friday.

[Related: Feds Unveil Arrest In Kaseya Ransomware Attack]

Russian authorities said they seized more than 426 million Rubles (approximately $5.5 million), $600,000 of American currency, and 500,000 Euros (approximately $570,000) from the homes of REvil leaders. The FSB said they also confiscated 20 luxury cars purchased with money obtained from cybercrime; computer equipment; and cryptocurrency wallets used to carry out ransomware activity.

The FSB said it was able to identify members of the REvil organization, document their illegal activities, and establish member involvement in “illegal circulation of means of payment.” The Russian raid comes two months after U.S. authorities announced they had arrested the Ukrainian national responsible for the Kaseya attack and seized more than $6 million from another REvil member involved in 3,000 attacks.

“As a result of the joint actions of the FSB and the Ministry of Internal Affairs of Russia, the organized criminal community ceased to exist, the information infrastructure used for criminal purposes was neutralized,” the FSB wrote in its announcement.

A CRN analysis found that REvil and its affiliates carried out four of 2021’s ten biggest ransomware attacks, which is more than any other ransomware operator. REvil was behind the year’s biggest heist, when they exploited a flaw in Kaseya’s VSA remote monitoring and management tool to compromise nearly 60 MSPs and encrypt the data and demand ransom payments from up to 1,500 of their clients.

Back in March, REvil claimed they had broken into and stolen unencrypted data from PC giant Acer and posted alleged images from Acer’s financial spreadsheets, bank balances, and bank communications on their public leak site. In April, REvil stole product blueprints from Apple supplier Quanta Computer, posted technical files on their leak site and threatened to leak the files if Apple didn’t pay a ransom,

And in June, JBS paid $11 million to the REvil ransomware operators who temporarily knocked out plants that process roughly one-fifth of the nation’s meat supply, the company’s chief executive said. But by the time REvil resumed operations months after the Kaseya attack, law enforcement had breached the groups servers and were able to control some of the ransomware gangs’ machines.

REvil burst onto the scene in summer 2019 when one of its affiliates went after TSM Consulting, a small MSP providing products and services to 22 Texas towns and countries that were subject to a devastating ransomware attack. The REvil affiliate focused on managed service providers often targeted MSPs with a client base that was highly concentrated in a specific area such as nursing homes or dentist offices.