“The organised criminal association (REvil) has ceased to exist, and the information infrastructure used for criminal purposes has been neutralised as a result of joint actions of the Federal Security Service (FSB) of Russia and the Ministry of Internal Affairs,” read the press release by the FSB. A joint operation was carried out in Moscow, St. Petersburg, Leningrad, and Lipetsk regions to suppress illegal activities, the FSB added.
The coordinated search operation resulted in seizure of nearly 426 million rubles, which includes cryptocurrency, 600,000 dollars, and 500,000 euros from 25 different residences belonging to 14 REvil members. The authorities also recovered computer equipment, crypto wallets, and 20 premium cars, as per the press release.
The Russian authorities said that the action was taken following an appeal by US authorities, who have been informed about the operation. The 14 members have been charged with committing crimes under Part 2 of Art. 187 “Illegal turnover of means of payment” of the Criminal Code of Russia, the agency said.
Why this matters: It is the first time that the Russian authorities have taken action against one of several ransomware gangs based on its shores. It also demonstrates the value of global collaboration needed to tackle the threat of ransomware.
Why was it important to neutralise REvil?
REvil is the hacker group that’s responsible for cyber attacks against JBS Meat and Colonial Pipeline, among others. The FSB said that it established the full composition of REvil and the involvement of its members in illegal activities. The group developed malicious software to organise theft of funds from bank accounts of foreign citizens in order to implement its plan, the agency added.
Russia has been under tremendous pressure ever since US President Joe Biden pressed the country to act against REvil and other Russian cyber criminals last summer, when REvil targeted Miami-based software provider Kaseya, CoinDesk reported.
Ransomware gangs in crosshairs
The increase in the number of attacks has led to countries ramping up their actions against ransomware gangs. Romanian, Kuwaiti, and South Korean authorities were responsible for the arrest of suspected members of REvil-affiliated hacking groups last year.
REvil was taken offline in a hacking operation by several countries spearheaded by the United States. The agencies involved in the operation include the Federal Bureau of Investigation, US Cyber Command, the Secret Service, and a few countries whose names are not yet known, Reuters reported.
More recently, VPNLab.net was shut down by the European Union Agency for Law Enforcement Cooperation (Europol) for allegedly aiding ransomware deployment and other cybercrime activities. Law enforcement authorities from Germany, US, and the UK, seized 15 servers that hosted VPNLab.net’s service, rendering it no longer available.
Which ransomware attacks can be tied to REvil?
January 2021: A pan-Asian retail chain operator Dairy Farm was attacked by the REvil gang which demanded a $30 million ransom. The REvil ransomware group compromised Dairy Farm Group’s network and encrypted devices in January. There is no confirmation on whether the ransom was paid.
March 2021: Computer giant Acer was hit by a REvil ransomware attack this year where the threat actors demanded the largest ransom, $50 million, to date. The ransomware gang announced on the data leak site (Happy Blog) that they had breached Acer and shared some images of allegedly stolen files as proof. It is not yet known whether Acer complied with the ransom.
May 2021: JBS SA, the world’s largest meat processing company, was also one of the victims of the ransomware gang. It reportedly paid $11 million to obtain the decryption key. The ransom was paid in Bitcoin. The company was widely criticised for complying with the demands as it would incentivise more attacks.
July 2021: The attack on Kaseya in July 2021 is estimated to have affected up to 2,000 global organizations. REvil targeted a vulnerability in a Kaseya remote computer management tool to launch the attack. REvil demanded $70 million to restore encrypted data. Kaseya announced it received the decryption key for the files encrypted from an unnamed “trusted third party”, later discovered to be the FBI who had withheld the key for three weeks, and was helping victims restore their files.
- 76% of Indian companies were impacted by ransomware attacks last year, survey reveals
- Acer India hit by ransomware attack, over 60 GB of files and databases stolen
- Accenture becomes latest victim of a ransomware attack, but says no disruption to operations
- Pine Labs becomes latest victim of ransomware attack, 500,000 unique records exposed: Report
Have something to add? Post your comment and gift someone a MediaNama subscription.