Russia has dismantled ransomware crime group REvil at the request of the United States in an operation in which it detained and charged the group’s members, according to Russia’s Federal Security Service (FSB) domestic intelligence service.
FSB said in a statement on Friday that it had “suppressed the illegal activities” of members of the group during raids on 25 addresses that swept up 14 people.
The arrests were a rare apparent demonstration of US-Russian collaboration at a time of high tensions between the two over Ukraine.
The announcement came as Ukraine was responding to a massive cyber-attack that shut down government websites, though there was no indication the incidents were related.
A senior administration official, who wished to remain anonymous, told Reuters: “We understand that one of the individuals who was arrested today was responsible for attack against Colonial Pipeline last spring.”
A May cyberattack on the Colonial Pipeline that led to widespread gas shortages on the US East Coast used encryption software called DarkSide, which was developed by REvil associates.
One US official quoted by the AFP news agency also praised the arrests, saying: “I want to be very clear – in our mind, this is not related to what’s happening with Russia and Ukraine.
“I don’t speak for the Kremlin’s motives, but we’re pleased with these initial actions,” she said on condition of anonymity.
“We’ve also been very clear – if Russia further invades Ukraine … we will impose a severe cost on Russia in coordination with our allies.”
The FSB listed REvil assets it had seized including 426 million roubles, $600,000, 500,000 euros, computer equipment and 20 luxury cars.
A Moscow court identified two of the men as Roman Muromsky and Andrei Bessonov and remanded them in custody for two months.
Two people familiar with Muromsky told the Reuters news agency that he was a web developer who had helped them with websites for their businesses.
No official comment from US
Russia told Washington directly of the moves it had taken against the group, the FSB said. The US Embassy in Moscow said it could not immediately comment.
“The investigative measures were based on a request from the … United States,” the FSB said. “… The organised criminal association has ceased to exist and the information infrastructure used for criminal purposes was neutralised.”
The REN TV channel aired footage of agents raiding homes and arresting people, pinning them to the floor, and seizing large piles of dollars and Russian roubles.
The group members have been charged and could face up to seven years in prison, the FSB said.
A source familiar with the case told Russia’s Interfax news agency the group’s members with Russian citizenship would not be handed over to the United States.
The US said in November it was offering a reward of up to $10m for information leading to the identification or location of anyone holding a key position in the REvil group.
The country has been hit by a string of high-profile hacks by ransom-seeking cybercriminals. A source with direct knowledge of the matter told Reuters in June that REvil was suspected of a ransomware attack on the world’s biggest meat packing company, JBS SA.
Washington has repeatedly accused the Russian state in the past of malicious activity on the internet, which Moscow denies. REvil has not been associated with any major attacks for months.
Muromsky, who was apprehended in Friday’s raids, is in his thirties and was born in Anapa in Russia’s south, a client of his told Reuters. “He worked as a normal programmer.”
Another client, Adam Guzuyev, described Muromsky as “a regular normal worker” who proved unable to install all the features Guzuyev wanted on his website.
“He earned no more than 60,000 roubles. I can’t say he has genius abilities,” he said.