Eight people allegedly involved in the REvil ransomware gang were hit with charges by a court in Moscow on Saturday, according to the Russian News Agency (TASS).
The eight were arrested as part of a larger raid by Russia’s Federal Security Service (FSB) and the Ministry of Internal Affairs of Russia on 25 different locations across Moscow, St. Petersburg and Lipetsk on Friday.
TASS reported that on Saturday, Moscow’s Tverskoi Court charged the men with violating Part 2 of Article 187 of Russia’s Criminal Code, which covers the “illegal circulation of payments. The men are facing up to seven years in prison and a fine of about $13,150.
“At present, materials are either incoming or have already been examined with regard to Roman Muromsky, Andrey Bessonov and also the following individuals: Golovachuk M.A., Zayets A.N., Khansvyarov R.A., Korotayev D.V., Puzyrevsky D.D. and Malozemov A.V. Overall, the court has materials on eight individuals,” the court said.
Muromsky and Bessonov were initially named by Russian news outlets as members of the group and video emerged online of the two in court.
The FSB said it moved forward with the raid after receiving information about REvil’s alleged leader and other members of the group from US authorities.
The FSB said in a statement that 20 luxury cars, 426 million rubles, $600,000 and Є500,000 in Euros were seized during the raids. Police also took computer equipment and gained access to several crypto wallets.
The Russian news outlet called REvil “one of the world’s most prominent cybercrime groups,” noting that they have attacked the state government of Texas, companies like Apple and dozens of other organizations.
According to the US Department of Justice, in addition to the headlining attacks on Kaseya and JBS, REvil is responsible for deploying its ransomware on more than 175,000 computers. The group allegedly brought in at least $200 million from ransoms.
On Friday evening, White House officials told reporters that the person behind the ransomware attack on Colonial Pipeline last year was arrested as part of the raid but did not reveal the person’s name. While the attack on Colonial Pipeline — which caused a week of gas shortages along the East Coast of the US — was attributed to the DarkSide ransomware group, experts said those involved were closely associated with REvil.
Recorded Future ransomware expert Allan Liska told ZDNet that there are multiple connections between REvil and Darkside, which shuttered its operations shortly after the headline-grabbing attack on Colonial Pipeline and reconstituted under the name “BlackMatter.”
“First, we think the user Darksup, who was the main organizer of the DarkSide ransomware, started out as an affiliate of REvil. Secondly, there is a lot of code overlap between DarkSide and REvil ransomware. Flashpoint did a good analysis of that,” Liska said. “Finally, after the Colonial Pipeline attack, when DarkSide went into hiding, Unknown (the spokesperson for REvil) was speaking on DarkSide’s behalf on the underground forums.”
There has been significant debate about why Russian authorities finally decided to detain members of the REvil ransomware group after US officials spent months pressing the country for help.
Digital Shadows’ Chris Morgan told ZDNet that some people on Russian cybercriminal forums said the arrests were part of a larger “political game” between the US and Russia, which has faced backlash in recent weeks for its threatening actions toward Ukraine.
“Its possible that the FSB raided REvil knowing that the group were high on the priority list for the US, while considering that their removal would have a small impact on the current ransomware landscape. These arrests could also have served a secondary purpose, as a warning to other ransomware groups,” Morgan explained.
“REvil made international news last year in its targeting of organizations such as JBS and Kaseya, which were high profile and impactful attacks; a very public series of raids could be interpreted by some as a message to be mindful of their targeting.”