REvil / Sodinokibi Gang dismantled by Russian FSB
- Well-orangised cyber crime gang, inactive since last year, have been arrested
- Russian authorities acted at the request of USA
- Arrests seen as potential distraction on world stage as Russia standas at Ukrainian border
We have been monitoring the impact of the REvil ransomware gang for several years and even wrote about their exploits in a prior post.
They were very well organised and effective ransomware actors that had achieved major “victories” in compromising the networks of Australian and international companies.
They probably set their sights a little too high last year when they took down a major US meat producer, JBS and interrupted the operations of Colonial Pipeline. That earned them extra attention and last week, as reported by many news outlets, authorities in Russia acted.
Following raids by Russia’s Federal Security Service (FSB), Moscow has stated that suspected gang members have been detained and the organization has been broken up.
At 25 sites in different parts of Russia, including Moscow, St. Petersburg and Lipetsk, linked to 14 members of the REvil ransomware gang, the FSB and the Russian Internal Ministry collaborated on joint action.
According to the FSB, members of REvil have been arrested and charged. Computers, cryptocurrency, and crypto wallets as well as over 426 million rubles, $600,000 US dollars, and €500,000 in Euros have been seized. The organisation also stated that 20 luxury cars purchased using funds “earned” from ransomware attacks have been confiscated.
The FSB has also indicated that the person specifically responsible for the Colonial Pipeline attack was part of the group arrested.
The raids occurred following requests from authorities in the United States, which has been a major target of ransomware attacks by REvil.
Previous action has been taken against REvil, including the arrest of suspected members by Romanian and Ukrainian authorities, but the raids by the FSB mark the first time Russian authorities have taken action against the group.
Kaseya, an IT solutions developer for MSPs and business clients like Computer One, was one of the most well-known targets of a REvil attack last year. In addition, REvil was accused of being behind a large ransomware assault against food supplier JBS that paid $11 million in Bitcoin to the attackers in exchange for the key needed to decrypt the network.
The United States and other G7 nations issued a message to Russia just last year, urging it to take responsibility for ransomware and other cybercriminal organizations operating in its territory. Ransomware is one of the world’s most pressing cybersecurity challenges, with attacks on every sector wreaking havoc.
Hospitals and healthcare services, energy suppliers, and local governments have all been targeted in high-profile ransomware assaults that have prevented people from being able to use vital services.
The Last Word
Goodbye REvil – hello the next threat actor to take their place. Ransomware is an easy crime to perpetrate and the rewards are vast. The economic imperative to attack commercial institutions is clear. Despite the risks, others like REvil will step up to take their place.
How long has it been since you re-examined your information security strategy?