Russia ”neutralizes” REvil ransomware gang, arrests 14

According to Russia’s top agency FSB (Federal Security Service), the arrests against the Revil ransomware gang were made at the request of the government of the United States.

Russia’s Federal Security Service (FSB) has arrested and charged 14 suspects for their connection with the infamous Revil ransomware gang (aka Sodinokibi). The arrests were made at the request of the United States, the agency said on Friday, January 14th.

This marks the apparent end of the REvil ransomware gang involved in some of the largest ever ransomware attacks against the critical infrastructure in the United States including the attack on Kaseya Limited, a leading provider of IT and security management solutions.

The news came just a day after Ukrainian authorities arrested 5 suspects for carrying out ransomware attacks against international businesses costing millions of dollars in damages.

Raids, property seizure, and arrests

According to local Russian media, FSB, the principal security agency of the country raided 25 different locations in several Russian cities including the Capital Moscow, St. Petersburg, Lipetsk, and Leningrad.

Furthermore, authorities seized assets worth more than 426 million rubles (£4 million – $5.5 million – €4.8 million euros) in cash and cryptocurrency. More over, 20 luxury vehicles purchased with money obtained from ransom payments were also confiscated.

The FSB has confirmed that all 14 suspects have been charged with committing crimes under Part 2 of Art. 187 “Illegal circulation of means of payment” of the Criminal Code of Russia.

Russia ''neutralizes'' Revil ransomware gang, arrests 14
Blockchain account of the REvil ransomware gang (Screengrab via FSB)
Russia ''neutralizes'' Revil ransomware gang, arrests 14
Funds confiscated from the REvil ransomware gang (Screengrab via FSB)
Russia ''neutralizes'' Revil ransomware gang, arrests 14
One of the the REvil ransomware gang members being arrested (Screengrab via FSB)
Russia ''neutralizes'' Revil ransomware gang, arrests 14
One of the the REvil ransomware gang members being arrested (Screengrab via FSB)

REvil ransomware gang has been “neutralized”

In a press release, FSB added that the REvil ransomware gang has been completely dismantled and that the infrastructure used by the threat actors has been “neutralized.”

“As a result of the joint actions of the FSB and the Ministry of Internal Affairs of Russia, the organized criminal community has ceased to exist, the information infrastructure used for criminal purposes has been neutralized. Representatives of the US competent authorities have been informed about the results of the operation.”


Modus Operandi

Like any other ransomware gang, the modus operandi of REvil involved exploiting security vulnerabilities and compromising targets. The group would encrypt files on targeted computers and demand ransom payments. In case their demands were not met the attackers would leak the data online.

In the Kaseya attack, the REvil ransomware operators demanded a $70 million ransom. Some of the gang’s other notable targets include AcerQuantaMasMovilSol Oriens, and the State Bank of Chile.

Ziv Mador, VP of Security Research at Trustwave SpiderLabs stated that the actions from Russia’s top-secret agency which is directly overseen by President Vladimir Putin are “unprecedented.” 

However, he also warned that REvil resources could reemerge in another form as seen with other ransomware groups many times in the past such as the appearance of Haron and BlackMatter ransomware groups right after the disappearance of DarkMatter and REvil in July 2021.

“This unprecedented action from the Russian Federal Security Service (FSB) aligns with the fear that we’ve observed while conducting cybercriminal chatter reconnaissance on the Dark Web. Cybercriminals on the Dark Web indicated back in November 2021 that they believed there were secret negotiations on cybercrime between the Russian Federation and the United States and urged each other to prepare for potentially serious actions from Russia, Ziv said.

More ransomware news from

Conti Ransomware Group Exploiting Log4j Vulnerability

Romanian arrested for ransomware attacks and data theft

Canadian Citizen Charged for Ransomware Attacks in Alaska

Ransomware attack on New Mexico jail put prisoners in lockdown

FBI warns of hackers mailing malicious USB drives to spread ransomware

Related Posts