Russia Takes Down REvil Crypto Ransomware Group

The Federal Security Service (FSB)—Russia’s domestic intelligence service—has said it has dismantled the REvil ransomware group at the request of the United States. The FSB reportedly conducted an operation that detained and charged several of the group’s members. 

One day later, a court in Moscow also detained six individuals described as suspected members of the group. 

What is REvil?

REvil is a Russia-based hacker group responsible for several ransomware attacks in which it demanded payment in cryptocurrency.

Last June, the group orchestrated a ransomware attack against JBS, a meat supplier that processes about 20% of America’s meat supply. The company eventually paid $11 million to the hackers. 

One month later, REvil demanded $70 million in Bitcoin after attacking at least 200 U.S. companies. The group broke into the Miami-based IT firm Kaseya’s systems, using them to access and paralyze over a million systems. 

“If anyone wants to negotiate about universal decryptor—our price is $70 million in Bitcoin,” the group said at the time. 

The ransomware group appeared to go dark in the weeks after the Kaseya attack, but in October, REvil hackers placed $1 million worth of Bitcoin on a public Russian hacker forum as part of an online “recruitment flex.” 

The strategy was part of the group’s hunt for teams that had “experience and skills” in various hacking-relevant fields, including penetration testing. 

REvil, Russia, and the United States

REvil’s ransomware activity against American entities has even prompted the Biden administration to focus on combating the threat of these kinds of attacks. 

The Biden administration has been so concerned about the threat presented by ransomware that it was elevated to a similar priority level as terrorism last summer. 

Also, during the summer, the U.S. government set up a ransomware task force tasked with combating cyberattacks and tracing cryptocurrency ransom payments. At the same time, President Biden warned Russia to act on the illicit ransomware activity coming from within its borders.

is perfectly reasonable. This essentially is a feather in their cap, and you could definitely take a cynical view of it and think that it’s all signaling,” John Hultquist of security firm Mandiant told WIRED.