Russia Charges 8 REvil Ransomware Suspects After RaidsWhite House: One Suspect Also 'Responsible for the Attack Against Colonial Pipeline'
Authorities in Russia have charged at least eight individuals with crimes tied to the REvil ransomware operation.
REvil, aka Sodinokibi, has been one of the most notorious ransomware operations in recent years, amassing more than $200 million in illicit profits, according to the U.S. Department of Justice.
In a surprise announcement Friday, Russia's Federal Security Service, the FSB, announced that it had raided 25 properties and detained 14 individuals suspected of having been part of the REvil operation. FSB agents seized numerous devices during the raids, as well as cryptocurrency, cash in multiple denominations and 20 luxury vehicles.
"We understand that one of the individuals who was arrested today was indeed the individual responsible for the attack against Colonial Pipeline last spring," a senior White House official, speaking on background, told reporters Friday. That suggests the individual worked as an affiliate not just for REvil, but also for DarkSide, since it was the ransomware operation that took credit for the attack that disrupted Colonial Pipeline, which moves about 45% of the gasoline and other fuel supplies along the East Coast.
Demonstrating just how lucrative a single ransomware strike could be, Colonial Pipeline paid DarkSide a ransom in bitcoins worth $4.4 million, of which about $3 million would likely have gone to the affiliate. But at least in that case, the FBI managed to recover about half of the cryptocurrency.
8 Suspects Remanded
At least eight REvil suspects have now been arrested and have appeared in Moscow's Tverskoy District Court, where they have been remanded in custody, Russian News Agency, aka Tass, reports.
"Overall, the court has materials on eight individuals," a court representative told Tass.
The court ordered that the suspects remain in custody for two months as the police investigation continues.
2 of the arrested REvil members have been identified by Russian media. Both Roman Muromsky and Andrei Bessonov are detained in the Tverskoy Court of Moscow.
An an unknown individual recorded one of the alleged members on WhatsApp and shared it with RBC, a Russian Media group. pic.twitter.com/os6KEGysd6— vx-underground (@vxunderground) January 14, 2022
Multiple news outlets, including Tass and Reuters, have named the eight suspects:
- Andrey Bessonov
- Mikhail Golovachuk
- Ruslan Khansvyarov
- Dmitry Korotayev
- Alexei Malozemov
- Roman Muromsky
- Daniil Puzyrevsky
- Artyom Zayets
The FSB said that the arrests were made in part thanks to intelligence shared by the U.S. government.
The Biden administration Friday said that it's been continuing to share intelligence with Moscow via the White House-Kremlin Experts Group set up last June.
The senior White House official told reporters Friday that "our expectation is that Russia … would be pursuing legal action within its own system against these criminals for the crimes that they have … done," as well as "preventing future ones."
At least so far, the suspects haven't been charged with hacking, but rather money laundering. Experts say it's not clear if hacking charges could be brought against Russians for alleged crimes involving foreign entities.
Russia does not extradite its citizens to face charges filed abroad.
Scant Detail on Suspects
Cybersecurity expert Yelisey Boguslavskiy, research director at New York-based threat intelligence firm Advanced Intelligence, tells The Associated Press that despite these arrests representing an unprecedented crackdown on REvil, many of the suspects may be lower-level players.
Notably absent from the list of suspects named so far, for example, is Russian national Yevgyeniy Polyanin, 28, who "is believed to be in Russia," and possibly in the Russian city of Barnaul, U.S. prosecutors said last November when they unsealed an indictment against him.
Among other charges, Polyanin stands accused of being the REvil affiliate who targeted 22 Texas municipalities in 2019, via their IT managed service provider.
Also absent from the list of suspects named so far is Aleksandr Sikerin, from whom the FBI last August seized 39.9 bitcoins - as of Monday, worth $1.7 million - which he allegedly amassed while working as a REvil affiliate. The DOJ says Sikerin's last known address is in St. Petersburg, Russia.
But whatever the arrested suspects' alleged role in REvil, experts say their arrests are a step in the right direction.
"While we are still looking to understand the true impact of these arrests, we applaud the Russian government for the actions it took," says Matt Olney, director of threat intelligence and interdiction at Cisco Talos.
Major Crackdown Began in Spring 2021
REvil debuted in April 2019 as an offshoot of the GandCrab operation and quickly became a highflier in the ransomware sphere.
But last spring, Western governments' focus on disrupting ransomware began to intensify, with the White House launching a new task force to track, combat and disrupt such attacks.
The White House also began bringing increased diplomatic pressure to bear on countries in which ransomware-wielding criminals were operating. As the Conti operation hit Ireland's national health service last May and disrupted patient care for months, followed by DarkSide disrupting Colonial Pipeline and triggering the panic-buying of fuel, and REvil hitting JBS - among many other attacks - Western governments launched what has become an international crackdown.
Last June at a summit in Geneva, U.S. President Joe Biden warned Russian President Vladimir Putin that unless Moscow cracked down on cybercriminals operating from inside its borders, the White House would take matters into its own hands. Indeed, the U.S. and at least one ally appear to have also begun directly targeting infrastructure used by REvil, which suffered an outage last July, and again last September, before the group seemed to finally go dark for good.
One challenge with disrupting ransomware, however, is that groups don't function as stand-alone entities organized in a rigid, hierarchical manner. Instead, they're largely composed of loosely affiliated contractors, aka affiliates.
In the ransomware-as-a-service business model that REvil employed, for example, experts say a core team of operators and developers - perhaps numbering seven individuals - maintained the malware and provided it to pre-vetted affiliates. Every time an affiliate infected a victim, and the victim paid, the affiliate was promised 60% of the ransom, rising to 70% after three successful infections.
But REvil's reputation in the cybercrime underground took a major hit last year. As Advanced Intelligence's Boguslavskiy reported, samples of REvil's malware had been analyzed by reverse-engineering experts working for the Exploit cybercrime forum. The experts, he said, reported finding a backdoor in samples of REvil - up to July 2021 - that would have allowed them to cut affiliates out of victim negotiations, so the operators could keep 100% of any ransom payment for themselves.
Even though the REvil brand now appears to have been fully burned, there's nothing stopping core operators from rebooting under a different name. If they do so, however, they face an uncertain response from the Russian government, especially in the current geopolitical climate.
'Russian Ransomware Diplomacy'
Indeed, some cybersecurity experts suspect the timing of the REvil arrests, as Russia continues to mass forces on Ukraine's border, may not be coincidental.
"This is Russian ransomware diplomacy. It is a signal to the United States: If you don't enact severe sanctions against us for invasion of Ukraine, we will continue to cooperate with you on ransomware investigations," tweets Dmitri Alperovitch, chairman of the Silverado Policy Accelerator, who previously served as the CTO of cybersecurity firm CrowdStrike.
"I suspect the U.S. government will not bite," he adds.
It's not clear for how long the FSB might have been monitoring the suspects before arresting them. But chatter on the cybercrime underground has revealed the FSB exerting increasing pressure on some ransomware operations - including Avaddon, Darkside, Hive and BlackMatter - since at least spring 2021, says Advanced Intelligence's Boguslavskiy.
"For instance, high-profile actors directly affiliated with the Avaddon gang claimed that it was a direct pressure by the FSB that forced the group to release security keys," he says. Notably, that group didn't just release decryption keys for all victims last June, but also announced its retirement.
Previously, experts say, Russian cybercriminals operating domestically appeared to remain immune to prosecution, provided they never amassed victims in Russia or its allies - including other members of the Commonwealth of Independent States - and also did occasional favors for Russian law enforcement or intelligence agencies.
But with the arrests announced last week, that state of affairs appears to have evolved, with the Russian government now hanging out to dry multiple REvil suspects.
"They couldn't care less about these guys," Alperovitch says. "They are not members of the security services. They are not oligarchs. They are not close to Putin. They are pawns to be used and discarded."
The White House says it is not treating the arrest of the suspected REvil members as being tied in any way to Russia's massing of troops on the border with Ukraine or the defacement of multiple Ukrainian government sites last Thursday and signs that they may have also been targeted with destructive malware.
"In our mind, this is not related to what's happening with Russia and Ukraine," the senior White House official told reporters Friday.
"I don't speak for the Kremlin's motives, but we're pleased with these initial actions," the official added. "We've also been very clear: If Russia further invades Ukraine, we will impose severe costs on Russia in coordination with our allies and partners."