Russia detained several members of the notorious REvil ransomware gang at the request of U.S. law enforcement in a sweeping operation around the country, according to the Federal Security Service.
Law enforcement raided the homes of 14 members of REvil and seized currencies worth nearly $7 million, cryptowallets and 20 luxury cars, according to a statement Friday by the security service, known as FSB. Authorities in the U.S. have been informed that the group was shut down, it said.
REvil, short for Ransomware-Evil, has been among the most prolific cyber gangs and was accused of leading a flurry of attacks last year against companies and organizations, including one last May on U.S. meatpacker JBS SA, which eventually paid an $11 million ransom.
REvil has received more than $200 million in ransom payments, received in cryptocurrencies Bitcoin and Monero, according to the U.S. Treasury department. Russia's actions follow the November arrests of five people allegedly associated with REvil in Romania and South Korea and the indictment of two others by the U.S.
The White House didn't immediately respond to a request for comment, nor did the Russian Embassy in Washington.
The arrests mark a rare example of cooperation between Russia and the U.S. at a time when tensions are high over a mass buildup of Russian troops near the border with Ukraine. The U.S. is putting pressure on Europe to agree on potential sanctions amid concerns President Vladimir Putin could soon invade Ukraine, according to people familiar with the discussions. Russia denies it plans any invasion of its neighbor.
It also came as Ukraine sustained its worst cyberattack in four years with dozens of government websites hit. While Ukraine has previously accused Russia of waging major cyberattacks against its digital infrastructure, it wasn't yet clear who was behind the recent intrusions.
REvil was one of the most successful cyber gangs to conduct what's known as "ransomware as a service." In most cases, affiliates of REvil would break into companies, while the REvil gang provided the encryption software and customer support for a cut of the illicit proceeds.
"The ransomware was highly adaptable and the REvil team poured resources into regular improvements of the code, adding new features and fixing bugs," said Allan Liska, senior threat analyst at the cybersecurity firm Recorded Future Inc.
REvil, also known as Sodinokibi, was also accused of ransomware attacks on more than 20 Texas municipalities, in addition to the computer giant Acer and the software provider Kaseya. While the May attack on Colonial Pipeline Co., which led to panic buying of gasoline across the U.S. East Coast and a major U.S. government response, was linked to the ransomware group DarkSide, cybersecurity experts said there was overlap between that group and REvil.
Russia-linked ransomware groups were so disruptive that President Joe Biden pressed Putin to act during a call in July. REvil vanished from the dark web for nearly two months before reappearing in September.
The suspects won't be extradited to the U.S., Russia's Interfax news service reported, citing an unidentified person familiar with the case.
"REvil is a direct descendant of the GandCrab ransomware group," Liska said. "This is important because GandCrab was really the first ransomware group to offer a successful RaaS model, a model that has since been copied by so many other groups."
Dmitry Volkov, chief executive officer of Group-IB, a Singapore-based cybersecurity company, said it wasn't yet clear whether the developers of REvil ransomware or affiliates were arrested, though he said any "cross-border actions aimed at dismantling cybercrime is a positive step."
"As we've seen with various ransomware groups, the shutdowns do not always mean the end of malicious activities," he said. "There are many RaaS programs at the moment."
The Biden administration has said that curbing cyberattacks, particularly against critical infrastructure in the U.S, is a priority. The REvil arrests are part of a series of disruptive actions taken against ransomware members by the U.S. and other nations, including the recovery of stolen funds and actions against cryptocurrency exchanges that allegedly enabled laundering of illicit funds.
"Although 2021 may have been the worst year from a cyber threat perspective, we've had more notable wins by the good guys than in any previous year," said Charles Carmakal, senior vice president at cybersecurity firm Mandiant.