![](\"https:\/\/media.wired.com\/photos\/61e1bd24b92104f9e83d151d\/master\/pass\/Sec_RU_GettyImages-1199843836.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Matt Burgess, Lily Hay Newman| Date: Fri, 14 Jan 2022 18:17:29 +0000<\/strong><\/p>\n Matt Burgess<\/a><\/span> Lily Hay Newman<\/a><\/span><\/span><\/p>\n To revist this article, visit My Profile, then View saved stories<\/a>.<\/p>\n To revist this article, visit My Profile, then View saved stories<\/a>.<\/p>\n For years the<\/span> notorious Russia-based REvil criminal gang has attacked targets ruthlessly. Last May the group, along with its affiliates, disrupted production at meat supplier JBS<\/a>, netting itself $11 million<\/a> in ransom payment. Two months later it incapacitated thousands of businesses<\/a> as it exploited a vulnerability in the update mechanism of IT services company Kaseya. REvil\u2019s attacks have largely gone unpunished\u2014until now.<\/p>\n In an unprecedented move that\u2019s likely to send ripples through the inner circles of other Russia-based cybercriminal gangs, the country\u2019s security agency has arrested 14 alleged members of REvil. The Federal Security Service (FSB) announced the arrests on Friday, according to reports from the independent Russian news agency Interfax<\/em><\/a> and a press statement from FSB officials<\/a>. It\u2019s the first significant action against ransomware gangs the Russian government has taken, after years of ignoring international pressure.<\/p>\n \u201cFor the longest time REvil, and specifically the lead operator Unknown, felt that they could operate with impunity. This arrest shows that even ransomware groups operating in Russia aren\u2019t untouchable,\u201d says Allan Liska, an analyst for the security firm Recorded Future who specializes in ransomware. \u201cI think it shows that as long as ransomware groups are useful they are safe, but as soon as they are no longer useful they could wind up in jail.\u201d<\/p>\n REvil dropped off the radar in July amid intense scrutiny, only to return a few months later. But the revival was brief, as an international law enforcement effort knocked the group<\/a> back offline in October.<\/p>\n During the arrests Friday, officials from FSB and the Department of the Ministry of Internal Affairs seized computer equipment, 20 luxury cars, and more than $5.5 million in rubles and cryptocurrency. Law enforcement also seized control of cryptocurrency wallets used by the suspects and recouped nearly $1.2 million in foreign cash troves.<\/p>\n The suspects have not been named, but the arrests took place in Moscow, St. Petersburg, and the Lipetsk region south of the Russian capital. Officials said the arrests were made for the \u201cillegal turnover of means of payments,\u201d and claim their actions have crippled REvil.<\/p>\n \u201cThe organized criminal community ceased to exist, the information infrastructure used for criminal purposes was neutralized,\u201d a translated version of the FSB\u2019s statement says. Reports from Russia claim<\/a> the FSB took action following requests from the United States; in August president Joe Biden told Vladimir Putin that he must take action against cybercriminals operating in Russia.<\/p>\n The arrests could prove to be a watershed moment in the urgent international effort to tackle ransomware, given that Russian cooperation has been a crucial missing component<\/a> of the global response. But the arrests also come at a time when Russia\u2019s deployment of troops to Ukraine\u2019s border has intensified tensions in the region. Three rounds of talks between Russia, the US, and NATO over the fate of Ukraine have failed to<\/a> deescalate the situation. And as the FSB announced the REvil arrests Friday, more than a dozen Ukrainian government websites were defaced and hit with DDoS attacks<\/a>, though the perpetrator of the attacks is still unknown.<\/p>\n \u201cI think being concerned about Russia\u2019s ulterior motives [for conducting the REvil arrests] is perfectly reasonable,\u201d says John Hultquist, vice president of threat intelligence at the security firm Mandiant. \u201cThis essentially is a feather in their cap and you could definitely take a cynical view of it and think that it\u2019s all signaling. But I think ultimately it\u2019s still good news. The actors needed to know that if you are harassing thousands of people and stealing hundreds of millions of dollars you can\u2019t just ride off into the sunset.\u201d<\/p>\n It isn\u2019t the first time an alleged member of REvil has faced action from law enforcement. In November, 22-year-old Ukrainian national Yaroslav Vasinskyi was arrested in Poland and accused of conducting the Kaseya attack<\/a>. Vasinskyi allegedly abused a Kaseya product to deploy REvil code that then spread the group's ransomware via Kaseya\u2019s networks, according to a Department of Justice indictment<\/a>. Yevgeniy Polyanin, a 28-year-old Russian national, was also charged with deploying REvil\u2019s ransomware\u2014he\u2019s accused of conducting 3,000 ransomware attacks\u2014and had $6.1 million of his assets seized.<\/p>\n Law enforcement agencies around the world, including in Ukraine, have increasingly been working together in efforts to tackle ransomware actors. Since February 2021, Europol has arrested five hackers linked to REvil<\/a> and says 17 countries have been working on its investigations. These include the US, UK, France, Germany, and Australia.<\/p>\n Without cooperation from Russia, though, officials have had some hard limits on which gangs they could effectively target. After hitting a zenith\u2014or nadir\u2014with a series of disruptive and destructive attacks in the summer of 2021, REvil mostly went dark after international law enforcement compromised its infrastructure<\/a>. Other Russia-based groups, though, like the notorious DarkSide gang<\/a> and its successor BlackMatter, have continued their targeting, at least for now.<\/p>\n \u201cThe big question, I suppose, is does this represent a real shift in Russia\u2019s intentions to deal with this problem, or has REvil simply been sacrificed in an attempt to alleviate some international pressure?\u201d says Brett Callow, a threat analyst at the antivirus company Emsisoft. \u201cI would suspect the latter.\u201d<\/p>\n Callow and others emphasize, though, that while it will take time to learn more about the Russian government\u2019s approach, seeing so many REvil operators apprehended should provide some amount of deterrent effect. And in an interconnected industry like the ransomware market, every disruption is significant.<\/p>\n \u201cI agree there must be a motivation other than \u2018the US asked us nicely,\u2019 but regardless, this will further disrupt the ransomware economy, at least in the short term,\u201d says incident responder and former NSA hacker Jake Williams.<\/p>\n In the long term, several ransomware groups operating out of Russia remain highly active. The REvil takedown is a sign of progress, but what really matters will be the Kremlin\u2019s appetite for pursuing those other gangs as well.<\/p>\n