The Washington Post

In raids, Russia arrests 14 alleged members of the Revil ransomware gang

- BY ROBYN DIXON AND ELLEN NAKASHIMA robyn.dixon@washpost.com ellen.nakashima@washpost.com Dixon reported from Belgrade, Serbia, and Nakashima reported from Washington.

Russia’s domestic security agency on Friday arrested 14 alleged members of the Revil ransomware gang, including a hacker that U.S. officials say executed May’s Colonial Pipeline attack, and announced that it had eliminated the group at Washington’s request.

“We welcome reports that the Kremlin is taking law enforcemen­t steps to address ransomware emanating from [within] its border,” a senior administra­tion official said in a background briefing with reporters Friday, speaking on the condition of anonymity because of the matter’s sensitivit­y.

The official said the administra­tion did not believe the arrests were related to Russia’s apparent preparatio­ns to invade Ukraine. But, the official added, “we have also been very clear: If Russia further invades Ukraine, we will impose severe costs on Russia in coordinati­on with our allies and partners.”

Analysts nonetheles­s said that the arrests, while significan­t, seem aimed at sending a signal that such cooperatio­n would cease if the United States and Western allies impose sanctions in the event of a Russian invasion of Ukraine.

“The timing here is not an accident,” said Dmitri Alperovitc­h, chairman of the Silverado Policy Accelerato­r think tank.

The arrests also set an important precedent, with Moscow admitting for the first time that “major ransomware criminals reside in Russia,” he said.

The administra­tion official did not identify the hacker who was arrested but said that the individual was “responsibl­e for the attack” on the Colonial Pipeline, which led to panic buying of gasoline and long lines at gas stations on the East Coast.

A second U.S. official said that the person arrested was “an affiliate” of the gang that created the ransomware. That gang, DarkSide, disappeare­d shortly after the attack amid a huge outcry and after facing pressure from the U.S. government. The affiliate then switched to work with Revil, the official said.

The Russian Federal Security Service (FSB) said it raided 25 addresses in Moscow, St. Petersburg and several regions, seizing more than $1 million in U.S. currency, euros, bitcoin and rubles, as well as computer equipment and 20 luxury cars.

The Russia-based Revil gang has carried out numerous attacks on major global companies, including the July attack on software provider Kaseya and the May attack on the world’s biggest meat-processing business, JBS.

The arrests marked a rare positive moment in U.s.-russia relations after a flurry of diplomatic efforts in Europe this past week failed to deter Russia’s military buildup near Ukraine and persuade Moscow to de-escalate.

President Biden asked for President Vladimir Putin’s cooperatio­n to fight cyberattac­ks and ransomware when the two met in Geneva in June, but Friday’s arrests are Russia’s first major operation to halt Russia-based ransomware attacks around the globe.

Since the June summit, senior U.S. and Russian officials in an “experts group” have held at least a half-dozen calls in which the Americans have sought Moscow’s cooperatio­n on cybercrime. The individual­s arrested were discussed on those calls, with the United States passing informatio­n about them to the Russians so they could act, said people familiar with the matter.

Russian television showed FSB agents clad in black bursting into apartments, wrestling suspects to the ground and handcuffin­g them behind their backs, and searching apartments and computers.

The hacker involved in the Colonial Pipeline incident was one of those shown in the video, according to a U.S. official.

It is not uncommon for hackers to work for more than one group, said Allan Liska, intelligen­ce analyst at the cyber firm Recorded Future. For instance, it is likely that the leader of Darkside started off by working as an affiliate for Revil, he said. There is also a good deal of overlap between the malware that Darkside and Revil use to lock up victims’ computers, he said.

Newspapers in English

Newspapers from United States