Russian investigators have captured eight members of the REvil ransomware operation, who are now facing criminal charges for their criminal activities. On Friday, the Russian Federation’s Federal Security Service (FSB), the country’s domestic intelligence service, reported searches on the houses of 14 people suspected of being part of the REvil ransomware group.
After US officials informed about the group’s commander and sought action against cyber criminals based in Russia, the operation was carried out in collaboration with the Russian Interior Ministry. The suspects’ names remain unknown until today. However, the Tverskoi Court in Moscow used the paperwork of their detention to identify eight of them:
- Muromsky Roman
- Golovachuk Mikhail A.
- Khansvyarov Ruslan A.
- Bessonov Andrey
- Zayets Artem N.
- Puzyrevsky D.D.
- Korotayev Dmitry V.
- Malozemov Alexei V.
As a precaution, the suspects have been imprisoned for two months, and they are all being probed for illegally circulating payment methods (counterfeit credit cards and other payment documents, cryptocurrency). Cybercriminals on some hacker sites think the defendants were detained for carding (trafficking and using stolen credit cards) due to this.
According to Yelisey Boguslavskiy, head of research at AdvIntel threat prevention, the detained people were likely low-level associates and not the heart of the REvil organization, which develops malware and maintains the ransomware-as-a-service (RaaS) business. TASS Russian News Agency revealed that all those detained had been charged with a felony under Part 2 of Article 187 of the Russian Federation’s Criminal Code, which carries a punishment of five to eight years in jail.
A senior Biden administration source told Martin Matishak that one of the 14 raided suspects was also responsible for the ransomware attack that crippled Colonial Pipeline’s operations. The malware was distributed by the DarkSide ransomware group, which eventually changed its name to BlackMatter.
REvil built a name for itself on Russian-language hacker forums by establishing a private, very successful RaaS company that only accepted expert intruders with access to major enterprise networks. The gang is behind some of the most well-known ransomware attacks, including the attack on meat company JBS, which paid an $11 million ransom, and Kaseya, a producer of IT management software for managed service providers, from whom REvil wanted $70 million for a decryption tool.
As per the US Department of Justice, the REvil ransomware operation has amassed more than $200 million in revenue and locked at least 175,000 devices since its inception in early 2019. The FSB claims to have identified all members of the ransomware gang. However, it’s unclear if the eight people already prosecuted were part of the REvil operation’s core or merely associates.
“The FSB of Russia established the full composition of the REvil criminal community and the involvement of its members in the illegal circulation of means of payment, and documented illegal activities,” Federal Security Service of the Russian Federation said.