Russia’s FSB Arrests REvil Players at US Request

The morning of January 14, 2022, the Russian Federal Security Service (FSB) issued a statement that announced the demise of the hacker group REvil.

The FSB, in a joint effort with the Ministry of Internal Affairs (MVD) executed a successful takedown of individuals associated with REvil in a series of coordinated efforts. The FSB noted that their actions were made at the request of the United States who had “reported on the leader of the criminal community and his involvement in encroaching on the information resources of high-tech companies by introducing malicious software, encrypting information and extorting money for its decryption (ransomware).” The United States has been informed of the results of the Russian law enforcement effort.

The FSB/MVD raids took place in the cities of Moscow and St. Petersburg and in the regions of Leningrad, Moscow and Lipetsk. The raids, which included searching 25 addresses, resulted in the arrest of 14 individuals and the seizure of 426 million rubles ($5.6 million) including cryptocurrency, USD$600,000, Euro €500,000, computer equipment, cryptocurrency wallets and 20 premium cars, according to the FSB.

The FSB statement concluded with the stark declaration that, “As a result of joint actions of the FSB and the MVD, the [REvil] organized criminal community ceased to exist, the information infrastructure used for criminal purposes was neutralized.”

In October 2021, the White House pointedly noted how it expected Russia to “address ransomware criminal activity coming from actors within Russia” in the leadup to the International Counter-Ransomware Initiative hosted by the United States. The White House brief noted bilateral discussions at that time were frank and professional and that the United States had “shared information with Russia regarding criminal ransomware activity being conducted from its territory.”

The U.S. Department of State issued a $10 million reward for information about the location of key individuals associated with Sodinokibi-REvil and another reward of $5 million for information leading to the arrest and/or conviction in any country of any individual conspiring to participate in or attempting to participate in a Sodinokibi variant ransomware incident. It is possible, then, that an individual or group of individuals may be eligible for a significant payday.

In November 2021, the U.S. Department of Justice arrested Ukrainian national Yaroslave Vasinskyi for the July 2021 ransomware attack against Kaseya and other entities. At the same time, the DoJ said that they had seized $6.1 million in funds directly traceable to ransom payments made to Russian national Yevgeniy Polyanin, who is also charged with conducting REvil/Sodinokibi ransomware attacks.

Given the FSB’s statement on today’s raid, it is possible Polyanin was among those arrested by the FSB. Thus far, Russian media has identified only one of those arrested; a graduate of Moscow State University of Technology, 33-year-old Roman Muromsky, who the MVD asked the courts to place in pre-trial detention for two months.

Christopher Burgess

Christopher Burgess (@burgessct) is a writer, speaker and commentator on security issues. He is a former Senior Security Advisor to Cisco and served 30+ years within the CIA which awarded him the Distinguished Career Intelligence Medal upon his retirement. Christopher co-authored the book, “Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century”. He also founded the non-profit: Senior Online Safety.

burgesschristopher has 186 posts and counting.See all posts by burgesschristopher