Skip to main content
An FSB officer studying the computer of one of the detained members of the ransomware group REvil
news

Russian FSB busts ransomware group REvil at U.S. request

Source: Meduza
An FSB officer studying the computer of one of the detained members of the ransomware group REvil
An FSB officer studying the computer of one of the detained members of the ransomware group REvil
Russian FSB / TASS

On Friday, January 14, the Russian FSB reported that it had carried out a special operation to shut down the ransomware group REvil in response to a request from the United States. According to the FSB, its operatives detained and charged the group’s members after conducting raids on 25 addresses in Russia. If convicted, the suspects could face up to seven years in prison. The FSB’s announcement coincided with Ukraine reporting a major cyberattack that shut down dozens of government websites overnight. As yet, there is no indication that the two events are related and the Ukrainian government has not confirmed who is behind the attack.

Russia has shut down the infamous ransomware group REvil, the Federal Security Service (FSB) announced on Friday, January 14. 

“As a result of the joint actions of the FSB and Russia’s Interior Ministry the organized criminal group ceased to exist and the information infrastructure used for criminal purposes was neutralized,” reported the FSB’s Public Relations Center. 

REvil is known for carrying out cyberattacks on major companies using ransomware programs that encrypt their data. The hackers then demand a ransom for restoring the company’s access to its own information. In June 2021, for example, the FBI accused REvil of attacking the Brazilian company JBS, the world’s largest meat packer, which ended up paying the extortionists $11 million. A month later, the ransomware group was linked to a massive cyberattack which, according to some reports, affected more than a thousand companies.  

In November 2021, the FBI issued a wanted notice for Evgeny Polyanin, a 28-year-old Russian national believed to be affiliated with REvil. In turn, the U.S. State Department offered a reward of up to $10 million for information leading to the identification or location of REvil’s leaders, as well as a reward of up to $5 million for information leading to the arrest and/or conviction of individuals involved in the ransomware group’s activities.

REvil has been linked to Russia because its members speak and write in Russian. American experts surmised that the group was under the protection of the Russian intelligence services or the Russian government. 

The FSB stated that it began to search for members of the group after receiving a request from U.S. law enforcement agencies that provided information about REvil’s leader and his involvement in cyberattacks on foreign companies. The FSB didn’t disclose further details about the American government’s request. 

The FSB claims to have identified the ransomware group’s entire team. Investigative operations were carried out in Moscow and St. Petersburg, as well as in the Moscow, Leningrad, and Lipetsk regions. The FSB reported to have conducted searches at 25 addresses linked to 14 members of the group, and to have seized more than 426 million rubles (roughly $5.6 million), some of which was in cryptocurrency, $600,000, 500,000 euros (around $572,000), as well as 20 luxury cars, and computer equipment and cryptocurrency wallets that were allegedly used to commit crimes.

The FSB has not disclosed the exact number of arrests or the names of the detained group members. The suspects have been charged with the unlawful circulation of means of payment (under Russian Criminal Code Article 187, part 2) and could face up to seven years in prison. 

REvil went offline suddenly in July 2021. The notorious ransomware group went dark just days after a U.S. President Joe Biden demanded that Russia shut down ransomware groups based in the country during a phone call with President Vladimir Putin. 

Also on Friday, Ukraine reported a massive cyberattack that shut down around 70 government websites overnight. Threatening messages written in Ukrainian, Russian, and Polish were posted on some of the government websites, claiming that Ukrainians’ personal data had been leaked online and warning people to “be scared and expect the worst.”

At the time of this writing, the Ukrainian government has not confirmed who is behind the attack and there is no indication that the incident is related to Russia dismantling REvil.

As reported by the Kyiv Independent, the deputy head of Ukraine’s State Service for Special Communications and Information Protection said that the agency found out about the attack from the “information resources of another country.” The official also said the cyberattack “can be linked to constant aggression” against Ukraine, but added that so far there isn’t sufficient evidence to attribute the attack to Russia. 

Story by Alexander Baklanov

Updated translation by Eilish Hart