Russia’s FSB announces sting against members of REvil cybercrime gang

The security service said it executed the sting at locations in Moscow, St. Petersburg and elsewhere.
Russia, FSB, Federal Security Service, Moscow
The headquarters of the Federal Security Service (FSB) in Moscow on March 23, 2021. (Photo by KIRILL KUDRYAVTSEV / AFP via Getty Images)

The Russian government said Friday that it raided multiple addresses tied to members of the REvil ransomware gang, making arrests and seizing hard cash, cryptocurrency, computers and cars.

The Federal Security Service, or FSB, said it executed the sting at locations in Moscow, St. Petersburg and elsewhere. The operation came at the request of the United States, the FSB said. The FBI did not immediately respond Friday morning to requests for comment.

“Representatives of the competent US authorities were informed about the results of the operation,” the FSB said, according to a translation of its news release.

A senior Biden administration official said “we understand” that one of the individuals arrested was responsible for the Colonial Pipeline ransomware attack that triggered a fuel panic on the East Coast last year, an attack previously attributed to another Russian ransomware gang, DarkSide. DarkSide has, at times, been linked to REvil.


The U.S. has reportedly passed along to Russia the names of hackers within its borders who have been behind active attacks on America, hoping it would lead to a Russian crackdown. Russian President Vladimir Putin said last summer that his country had agreed to enter into “consultations” on cybersecurity with the U.S., but shared no specifics.

The arrests have aroused suspicion about Russia’s motives among experts on the Kremlin and cybersecurity, given the reports that Russia is weighing an invasion of Ukraine and the U.S. has threatened sanctions in retaliation.

Russian state-owned news outlet TASS posted video on YouTube that it said was of the arrests. It also identified two arrested suspects as Roman Muromsky and Andrei Bessonov.

REvil, one of the most aggressive and successful Russia-based cybercrime groups, had been under pressure from global law enforcement as well as U.S. Cyber Command, which helped to shut down many of the gang’s digital operations last year.


The gang claimed responsibility for a major attack against Florida-based IT firm Kaseya in July 2021. The company estimated that as many as 1,500 of its customers were affected by the incident. Among the victims are New Zealand schools, an international textile company, a Swedish grocery store chain and two Maryland towns.

The group generated about $200 million in ransom payments between April 2019 and June 2021, according to the FBI.

The FSB said Friday it seized 426 million rubles, “including in cryptocurrency,” as well as $600,000 and 500,000 euros. Also captured: “20 premium cars,” a favorite commodity of Russian cybercriminals.

The FBI said in early December that it had seized about $2.3 million in cryptocurrency from a REvil member. Other REvil affiliates were arrested in November 2021 has part of an international operation.

Yaroslav Vasinksyi, the man accused of writing the REvil ransomware — also known as Sodinokibi — was arrested Oct. 8 in Poland at the behest of U.S. authorities. A top White House official declined to say in November whether Russia aided in that arrest.


Reuters quoted unnamed officials as saying any suspect with Russian citizenship is unlikely to be handed over to the United States.

The arrests coincide with Ukraine reporting cyberattacks on several of its government agencies during rising security tensions with Russia.

‘REvil may have hit targets within Russia, prompting today’s takedown of the ransomware gang,” speculated Tom Kellerman, head of cybersecurity strategy for VMware. “I believe those who were arrested are not the senior leadership and REvil will undergo merely show trials. Additionally, today’s systemic cyberattack is likely a precursor to a Russian invasion of Ukraine. They are preparing the battlespace.”

The senior administration official commended Russia, without commenting on its motive, in making the arrests.

“We welcome reports that the Kremlin is taking law enforcement steps to address ransomware emanating from its borders,” the official said. “These are very important steps that they represent the Kremlin taking action against criminals operating from within its borders, and they represent what we’re looking for with regard to continued activities like these in the future.”


The official also said they expected Russia to process the arrests via its own law enforcement system, a situation that has caused some to doubt whether the culprits will face real justice. The U.S. and Russia do not have an extradition treaty.

Updated, 1/14/22: Added details on the arrests, comment from a senior administration official and comment from Kellerman. 

Latest Podcasts