Russia makes ransomware arrests
14 gang members in custody; timing leaves analysts wary
Russia’s domestic security agency Friday arrested 14 members of the REvil ransomware gang and announced that it had eliminated the group at the request of Washington.
The move is welcome, analysts said, but it seems aimed at sending a signal that such cooperation would cease if the United States and Western allies impose sanctions in the event of a Russian invasion of Ukraine.
“The timing here is not an accident,” said Dmitri Alperovitch, chairman of the Silverado Policy Accelerator think tank.
The arrests also came as unknown hackers targeted Ukrainian government websites early Friday, blocking access and warning Internet users to “expect the worst.”
The Federal Security Service said it raided 25 addresses in Moscow, St. Petersburg and several regions, seizing more than $1 million in U.S. currency, euros, bitcoin and rubles, as well as computer equipment and 20 luxury cars.
The Russia-based REvil gang has carried out numerous attacks on global companies, including in July against software provider Kaseya and in May against the world’s biggest meat-processing business, JBS. Former REvil associates also are believed to be responsible for the May cyberattack on Colonial Pipeline that led to gas shortages on the U.S. East Coast.
The arrests marked a rare positive moment in U.S.-Russia relations after a flurry of diplomatic efforts in Europe this week failed to deter Russia’s military buildup near Ukraine and persuade Moscow to deescalate.
President Joe Biden asked for President Vladimir Putin’s cooperation in fighting cyberattacks and ransomware when the two met in Geneva in June, but Friday’s arrests are Russia’s first major operation to halt Russia-based ransomware attacks around the globe.
Since the June summit, senior U.S. and Russian officials in an “experts group” have held at least a half-dozen calls in which the Americans have sought Moscow’s cooperation on cybercrime. The individuals arrested were discussed on those calls, with the United States passing information about them to the Russians so they could act, said a person familiar with the matter who spoke on condition of anonymity because of the matter’s sensitivity. “This is really a credit to Biden’s approach,” the person said.
“This is a significant action by Russian law enforcement against one of the most prominent ransomware gangs in the world,” Alperovitch said. “It also serves as a signal — amidst potential significant deterioration of relations over that Ukrainian conflict — to showcase the type of meaningful help Russia can provide to the U.S. if it chooses to, or not.
“Putin has already warned Biden that in the event of severe sanctions over invasion of Ukraine, there could be a full break in diplomatic relations, meaning that cooperation like today’s action on ransomware, among other things, would cease,” Alperovitch said.
Russia’s security agency said U.S. law enforcement provided detailed information about the gang leader’s identity and criminal activities.
Russian television showed agents clad in black bursting into apartments, wrestling suspects to the ground and handcuffing them behind their backs, and searching apartments and computers. One suspect had dozens of thick bundles of ruble bills in a compartment under his bed, according to the video.
The hacker shown was involved in the Colonial Pipeline incident, according to a U.S. official.
Although that attack was claimed by a different Russian-speaking hacker group, DarkSide, it is not uncommon for hackers to work for more than one group, and it is quite possible that the hacker shown worked for both REvil and DarkSide, analysts said.
It is likely that the leader of DarkSide started off by working as an affiliate for REvil, said Allan Liska, intelligence analyst at the cyberfirm Recorded Future. There is also a good deal of overlap between the malware that DarkSide and REvil use to lock up victims’ computers, he said.
Russian investigators Friday asked a Moscow court to hold one of the suspects, Roman Gennadyevich Muromsky, 33, in prison for two months pending investigation of his reported crimes, the Tass news agency said.
A Justice Department complaint filed last month in the Northern District of Texas named Aleksander Sikerin of St. Petersburg as a member of REvil.
According to the complaint, U.S. law enforcement seized $2.3 million worth of cryptocurrency in August tied to ransomware attacks that U.S. officials say he carried out.