By Tom Balmforth and Maria Tsvetkova
MOSCOW (Reuters) – Russia has taken down ransomware criminal group REvil at the request of the United States in an operation in which it detained and charged members of the group, the intelligence service said on Friday. inside the FSB.
The arrests were a rare apparent display of US-Russian collaboration at a time of high tension between the two over Ukraine. The announcement came as Ukraine responded to a massive cyberattack that shut down government websites, although there was no indication the incidents were linked.
The United States welcomed the arrests, according to a senior administration official, adding “we understand that one of the individuals arrested today was responsible for the attack on Colonial Pipeline last spring.”
A cyberattack in May https://www.reuters.com/technology/ransomware-gangs-disrupted-by-response-colonial-pipeline-hack-2021-05-14/?enowpopup on the Colonial pipeline that resulted in shortages of Widespread gases on the US East Coast used encryption software called DarkSide, which was developed by REvil associates.
A police and FSB operation raided 25 addresses, holding 14 people, the FSB said, listing the seized assets including 426 million rubles, $600,000, 500,000 euros, computer equipment and 20 luxury cars.
A Moscow court identified two of the men as Roman Muromsky and Andrei Bessonov and remanded them in custody for two months. Muromsky could not be reached for comment and his phone was switched off. Reuters could not immediately reach Bessonov.
Two Muscovites told Reuters that Muromsky was a web developer who helped them build websites for their businesses.
Russia directly informed Washington of the action it had taken against the group, the FSB said. The US Embassy in Moscow said it could not comment immediately.
“The investigative measures were based on a request from the … United States,” the FSB said. “…The organized criminal association has ceased to exist and the IT infrastructure used for criminal purposes has been neutralized.”
The REN television channel broadcast footage of officers raiding houses and arresting people, pinning them to the ground and seizing large piles of dollars and Russian roubles.
The members of the group have been charged and face up to seven years in prison, the FSB said.
A source familiar with the matter told Interfax that members of the group with Russian nationality would not be handed over to the United States.
The United States said in November it was offering a reward of up to $10 million for information leading to the identification or location of anyone in a key position within the REvil group.
The United States has been hit by a series of high-profile hacks by cybercriminals seeking ransom. A source with direct knowledge of the case told Reuters in June that REvil was suspected of being the group behind a ransomware attack against the world’s largest meatpacking company, JBS SA.
Washington has repeatedly accused the Russian state in the past of malicious internet activity, which Moscow denies.
REvil has not been associated with any major attack for months.
John Shier, a threat researcher at UK-based cybersecurity firm Sophos, said there was no independent confirmation that the self-identified leaders of the “disappeared” group had been arrested.
“If nothing else, this serves as a warning to other criminals that operating out of Russia might not be the safe harbor they thought it was,” he said.
A former Muromsky client who gave only Sergei’s name described him as a regular worker who did not appear wealthy.
Sergei runs a store called Motohansa which sells spare parts for motorcycles. Muromsky set up his website and supported it for a while, charging him around 15,000 rubles ($196) a month, he said.
“He’s a smart person and I can imagine if he wanted to (hack) he could, but he charged very little money for his services. Several years ago he had a Rover car. It’s not an expensive car at all,” Sergei said.
Muromsky is in his 30s and was born in Anapa, southern Russia, he said. “He worked like a normal programmer.”
Another client, Adam Guzuyev, described Muromsky as “a normal normal worker” who was unable to install all the features Guzuyev wanted on his website.
“He didn’t earn more than 60,000 rubles. I can’t say he has genius abilities,” he said, adding that Muromsky spent three months working on his website.
(Reporting by Gabrielle Tétrault-Farber and Maria Tsvetkova; Additional reporting by Anton Zverev and Polina Nikolskaya; Writing by Tom Balmforth; Editing by Alison Williams, Peter Graff, Mark Potter and Richard Chang)
Copyright 2022 Thomson Reuters.