According to Bleeping Computer, the Federal Security Service (FSB) of the Russian Federation says that they shut down the REvil ransomware gang after U.S. authorities reported on the leader.

The article (Russia arrests REvil ransomware gang members, seize $6.6 million, written by Ionut Ilascu, hat tip to Sharon Nelson’s Ride the Lightning blog for the coverage here) states that 14 members of the gang have been arrested following police raids at 25 addresses, the Russian security agency said in a press release last week.

The FSB said: “The basis for the search activities was the appeal of the competent US authorities, who reported on the leader of the criminal community and his involvement in encroachments on the information resources of foreign high-tech companies by introducing malicious software, encrypting information and extorting money for its decryption.”

Russian authorities confiscated cryptocurrency and fiat money as follows:

• More than 426 million rubles (approximately $5.5 million)
• 600 thousand US dollars
• 500 thousand euros (approximately $570,000)

Russian authorities also confiscated 20 luxury cars purchased with money obtained from cyberattacks, computer equipment and cryptocurrency wallets used to develop and maintain the RaaS operation.

The FSB said that it was able to identify all members of the REvil gang, documented their illegal activities, and establish their participation in “illegal circulation of means of payment.”

In less than a year after emerging in April 2019, the gang became the most prolific ransomware group, asking for some of the highest ransoms from its victims. It rose to infamy in August 2019 when it hit multiple local administrations in Texas and demanded a collective ransom of $2.5 million – the highest to that date.

Its most publicized hits were the Kaseya supply-chain attack that crippled around 1,500 businesses all over the world (with a demand of $70 million) and the JBS S.A. meat processing cyberattack in May of last year, where JBS paid the hackers an $11 million ransom. According to Comparitech’s interactive map of US ransomware attacks, REvil has hit businesses, healthcare organizations and government entities in at least 18 states (select REvil in the Ransomware strain drop down box on the right side to see the instances).

More information in both articles. Sharon notes that “that the sudden cooperation of the Russians may be related to tensions over the Ukraine, where 100,000 Russian troops are now stationed.” Gee, you think? 😉

So, what do you think? Do you believe REvil is gone? Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the authors and speakers themselves, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.