Infamous Ransomware gang, REvil taken down by Russia

Image rights –

In what suspiciously looks like a political statement, Vladimir Putin has ordered the arrest of 14 members of the infamous gang, REvil. With tension and talks not currently being fruitful between Russia, NATO and the US about Ukraine, it seems this was a bit of a gift from Putin to the US Government. Tensions between Ukraine and Russia are at their highest in years, with a Russian troop build-up near the border with Ukraine, indicating, come kind of military invasion could be imminent. US intelligence findings have estimated that Russia could begin a military offensive in Ukraine “as soon as early 2022.”

On Friday the 14th of January 2022, officials from FSB and the Department of the Ministry of Internal Affairs seized computer equipment, 20 luxury cars, and more than $5.5 million in rubles and cryptocurrency. They also seized control of cryptocurrency wallets used by the REvil gang and recouped nearly $1.2 million in foreign cash.

The arrests took place in Moscow, St. Petersburg, and the Lipetsk region south of the Russian capital.

For many years, the infamous REvil criminal gang has attacked numerous high profile targets ruthlessly. In May 2021, the criminals, along with its affiliates, disrupted production at meat supplier JBS. In the process, they managed to secure a $11 million ransom payment. Then in July, it incapacitated thousands of businesses as it exploited a vulnerability in the update mechanism of IT software services company Kaseya. With REvil being based in the seemingly safe haven of Russia, their attacks have largely gone unpunished. It would appear that Ukraine conflict is a bigger issue than ransomware so they gang have been sacrificed by Russia as a bargaining chip in negotiations.

Reports from Russia, claim the FSB took action following requests from the United States. Back in August president Joe Biden told Vladimir Putin that he must take action against cybercriminals operating in Russia. Considering the many pleas from countries all over the world which have been made to Russia to stop their numerous hacking gangs, it seems unlikely that Putin suddenly decided to comply without an ulterior motive being in play.

Law enforcement agencies around the world, including in Ukraine, have increasingly been working together in efforts to tackle ransomware hackers. Since February 2021, Europol has arrested five hackers linked to REvil and says 17 countries have been working on its investigations. These include the US, UK, France, Germany, and Australia. This includes 22-year-old Ukrainian national Yaroslav Vasinskyi who was arrested in Poland and accused of conducting the Kaseya attack. Yevgeniy Polyanin, a 28-year-old Russian national, was also charged with deploying REvil’s ransomware. Polyanin is accused of conducting some 3,000 ransomware attacks and had $6.1 million of his assets seized in the process.

For now, several ransomware groups operating out of Russia remain highly active. The REvil takedown is a significant mark of progress, but it will be interesting to see if Vladimir Putin decides to pursue the other gangs as well, like the notorious DarkSide gang and its successor BlackMatter.


REvil (aka Sodinokibi) is a ransomware variant first detected in April 2019. Initial attacks focused on users in Asia, but REvil’s attacks have expanded to target entities globally, with increasingly more significant extortion demands with one of the most recent being $70M for Kaseya. Since then, the variant has been actively used in ransomware attacks targeting organizations worldwide across various sectors, including healthcare, legal services, technology, government, retail, and financial services.

Timeline of some REvil attacks:

Aug 2019: Vendor breached to spread ransomware to 22 Texas cities
Jan 2020: REvil release stolen victim data on forum threads, later replaced by the “Happy Blog” website, if the ransom was not paid.
April 2020: Widespread exploitation of COVID-19 pandemic to spread ransomware
May 2020: Purported breach and sale of Trump-related information, as well as multiple celebrities over the following months, likely resulting from breach of the GSMS law firm
Jun 2020: Researchers discovered the variant scanning for point-of-sale (PoS) software and leveraging Cobalt Strike to deliver the ransomware. REvil adds an auction page to “Happy Blog.”
Mar 2021: Harris Federation breach, which leads to shutdown of the network for weeks, breach of hardware and electronics manufacturer Acer
Apr 2021: Offered Apple schematics and other company data for sale after breaching hardware vendor Quanta
May 2021: Attack on JBS, which forced a shutdown of US beef plant operations and disrupted operations at poultry and pork plants
Jun 2021: Attack on Invenergy
Jul 2021: Attacks on US DoD contractor HX5 and Kaseya MSP

Further reading