March 22, 2023

Notorious Russia-based REvil criminal gang has attacked targets ruthlessly for years. Last year in May the group, along with its affiliates, disrupted production at meat supplier JBS, netting itself $11 million in ransom payment. Two months later it incapacitated thousands of businesses as it exploited a vulnerability in the update mechanism of IT services company Kaseya. REvil’s attacks have largely gone unpunished until now.

In an unprecedented move the country’s security agency has arrested 14 alleged members of REvil. It’s the first significant action against ransomware gangs the Russian government has taken, after years of ignoring international pressure.


REvil dropped off the radar in July amid intense scrutiny, only to return a few months later. But the revival was brief, as an international law enforcement effort knocked the group back offline in October.

FSB has seized computer equipment, 20 luxury cars, and more than $5.5 million in rubles and cryptocurrency. Law enforcement also seized control of cryptocurrency wallets used by the suspects and recouped nearly $1.2 million in foreign cash troves.

The suspects have not been named, but the arrests took place in Moscow, St. Petersburg, and the Lipetsk region south of the Russian capital. Officials said the arrests were made for the “illegal turnover of means of payments,” and claim their actions have crippled REvil.

The arrests could prove to be a watershed moment in the urgent international effort to tackle ransomware, given that Russian cooperation has been a crucial missing component of the global response. But the arrests also come at a time when Russia’s deployment of troops to Ukraine’s border has intensified tensions in the region.

Law enforcement agencies around the world, including in Ukraine, have increasingly been working together in efforts to tackle ransomware actors. Since February 2021, Europol has arrested five hackers linked to REvil and says 17 countries have been working on its investigations. These include the US, UK, France, Germany, and Australia.


Without cooperation from Russia, though, officials have had some hard limits on which gangs they could effectively target. REvil mostly went dark after international law enforcement compromised its infrastructure. Other Russia-based groups, though, like the notorious DarkSide gang and its successor BlackMatter, have continued their targeting, at least for now.

In the long term, several ransomware groups operating out of Russia remain highly active. The REvil takedown is a sign of progress, but what really matters will be the Kremlin’s appetite for pursuing those other gangs as well.

Leave a Reply

%d bloggers like this: