Eight members of the REvil ransomware operation that have been detained by Russian officers are currently facing criminal charges for their illegal activity.
On Friday, the Federal Security Service (FSB) of the Russian Federation – the country’s domestic intelligence service, announced raids at the homes of 14 individuals suspected to be part of the REvil ransomware gang.
The operation was done in cooperation with the Russian Interior Ministry after U.S. authorities reported on the leader of the group and demanded action be taken against cybercriminals residing in Russia.
The names of the suspects were unknown until today when Moscow’s Tverskoi Court identified eight of them from the documents of their arrest:
- Roman Muromsky
- Andrey Bessonov
- Golovachuk Mikhail A.
- Zayets Artem N.
- Khansvyarov Ruslan A.
- Korotayev Dmitry V.
- Puzyrevsky D.D.
- Malozemov Alexei V.
The suspects have been jailed for two months as a preventative measure and all of them are investigated for illegal circulation of means of payment (counterfeit credit cards and other payment documents, cryptocurrency).
Because of this, cybercriminals on some hacker forums believe that the suspects were arrested for carding (trafficking and using stolen credit cards).
Yelisey Boguslavskiy, head of research at AdvIntel threat prevention, says that the arrested individuals were likely low-level affiliates and not the core of the REvil operation, who develop the malware and maintain the ransomware-as-a-service (RaaS) operation.
All arrested individuals are accused of committing a crime under Part 2 of Article 187 of the Criminal Code of the Russian Federation, TASS Russian News Agency says, which carries a sentence (PDF) between five and eight years in prison.
According to Martin Matishak from The Record, a senior Biden administration official said that one of the 14 raided suspects was also responsible for the ransomware attack that disrupted the operations of Colonial Pipeline. The malware was deployed by the DarkSide ransomware gang, later rebranded as BlackMatter.
REvil made a name for itself on Russian-speaking hacker forums by creating a private, highly profitable RaaS business that accepted only professional intruders with access to large enterprise networks.
The gang is responsible for some of the most publicized ransomware incidents, such as the attack on meat JBS, who paid an $11 million ransom, or Kaseya – a developer of IT management software for managed service providers, who REvil demanded $70 million for the decryption tool.
According to the U.S. Department of Justice, the REvil ransomware operation received more than $200 million since it emerged in early 2019 and encrypted at least 175,000 systems.
It is unclear if the eight persons already charged were part of the REvil operation’s core or just affiliates, but the FSB says that it identified all members of the ransomware gang:
“The FSB of Russia established the full composition of the REvil criminal community and the involvement of its members in the illegal circulation of means of payment, and documented illegal activities” – Federal Security Service of the Russian Federation
In raids at 25 addresses of 14 suspected members of the REvil ransomware gang, law enforcement found and seized more than $6.6 million in fiat and cryptocurrency.