Several alleged REvil hacker gang members have appeared in Russian court, after Russia took action against the group more than six months after President Joe Biden demanded a crackdown.
Roman Muromtsev, 33, and Andrei S. Bessonov were among the 14 suspects arrested in a coordinated sting that Russia’s FSB intelligence service announced on Friday, court documents show.
Neither man appears on the FBI’s Cyber Most Wanted list, and neither appears to have been previously named by US authorities, leading to questions about whether the Russian crackdown truly targeted the masterminds of REvil.
‘There is no confirmation of whether any of the self-identified REvil leaders (e.g. UNKN, 0_neday) have been arrested,’ John Shier, a threat researcher at Sophos, told NewsDons.com, referring to the screen names of the gang’s bosses.
‘The arrests by the FSB, allegedly at the request of the US government, are unusual given Russia’s stance on such crimes,’ he added. ‘The news comes at a time when political tensions between the two governments are running high and it’s easy to be cynical about the motive.’
Roman Muromtsev, 33, (left) and Andrei S. Bessonov (right) were among the 14 REvil hacker suspects arrested in a coordinated sting that Russia’s FSB intelligence service
Agents escort Muromtsev from Tverskoy district court on Friday after he was ordered held for at least two months without bail pending trial in the case
Muromtsev (above) and Bessonov do not appear on the FBI’s Cyber Most Wanted list, and neither appears to have been previously named by US authorities, leading to questions about whether the Russian crackdown truly targeted the masterminds of REvil
Muromtsev and Bessonov both appeared on Friday in Moscow court in the Tverskoy district, where a judge ordered both to be held without bail for at least two months pending trial.
Muromtsev is a graduate of the Moscow State University of Technology, and graduated in 2012 as a process engineer.
A female classmate described him as ‘extremely good natured and talented’, according to Ostorozhno Novosti.
She had lived in the same hostel as him as a student and said it was ‘hard for her to believe’ that he could be a hacker.
Another video shows Muromtsev in a glass cage in Tvesrkoy district court in Moscow.
Separately, pictures show the Guinness-drinking suspected ransomware hacker who is also fond of trips to the mountains.
Muromtsev is fond of trips to the mountains and drinking Guinness, his social media shows
Little is know about Bessonev, who does not appear to have been publicly named by the FBI previously as a suspect in ransomware attacks
Muromsky was earlier involved in online games on Russian social media outlet Vkontakte. In 2009 he launched a game called Kholmiki, and later a flash version Alchemy Ultimate.
His cars include an MG ZT and a Rover 75 while he also apparently owns a Kia Mohave SUV.
Russia’s FSB intelligence service said on Friday that it had targeted 14 members of the group with coordinated arrests at the request of authorities in the United States.
Biden has been demanding for months that his Russian counterpart Vladimir Putin take action against the group, and the motive for Russia choosing to finally act was unclear.
However, it comes as an olive branch at a time of high tension between Washington and Moscow, as Russia builds up troops near Ukraine and issues an ultimatum that NATO halt any eastward expansion.
‘At a time when Russia needs a little geopolitical goodwill, they arrest individuals associated with a defunct ransomware group,’ Shier told NewsDons.com.
‘If nothing else, it serves as a warning to other criminals that operating out of Russia might not be the safe harbor they thought it was,’ he added.
‘While we can be afforded some brief time to celebrate the good news, it’s always important to remember that cybercrime isn’t just about ransomware. There are plenty of other cybercriminals, who were not impacted by these arrests, who will continue operating as usual,’ he noted.
The FSB security service shared footage of a special operation to ‘neutralize the REvil hacker group’ as it announced 14 arrests on Friday
The FSB said it seized $5.5 million in rubles (above) in the raids, and more than $1 million in foreign currencies
Brett Callow, a threat analyst at cybersecurity firm Emsisoft, told NewsDons.com that the arrests will have ‘sent shockwaves through the cybercriminal underworld’ but questioned whether the move signaled a true commitment from Russia to cracking down on hacker gangs.
‘Whether this signals Russia is getting serious about combating ransomware or whether REvil were simply considered a necessary sacrifice in the face of international pressure remains to be seen,’ said Callow.
REvil: The Russian ransomware gang behind US attacks
REvil, also known as Sodinokibi, is a group of hackers that recruits affiliates to distribute ransomware for them.
As part of the deal, REvil and the affiliates split any ransoms obtained using the group’s malware.
Short for ‘ransomware evil,’ REvil refers to both the group and its software.
Members are known to speak Russian, and the group operates with impunity from somewhere in Russia or Eastern Europe.
The group is behind several attacks on US businesses, including the JBS meat plant and Miami-based software firm Kaseya.
‘In either case, it will have sent shockwaves through the cybercriminal underworld, and those who formerly partnered with REvil be be especially concerned about the potential consequences,’ he added.
‘I’d chalk this up as a win. But how much of a win remains to be seen,’ said Callow.
REvil, also known as ‘Ransomware evil’, was responsible for the Memorial Day ransomware attack on the meat processor JBS and the supply-chain attack last July targeting the Miami-based software company Kaseya, which crippled well over 1,000 businesses globally.
The group’s ransomware code shares some similarities with DarkSide, the group behind the Colonial Pipeline attack last May, but experts doubt there are significant connections between the two gangs.
In July, Biden pleaded with Putin to take stronger action, saying he needed to rein in attacks from Russia-based groups and warned that the US had the right to defend its people and critical infrastructure from attacks.
The arrests on Friday were a rare apparent demonstration of collaboration between Russia and the United States, and the come at a time of high tensions between the two over Ukraine.
The announcement came even as Ukraine was responding to a massive cyber attack that shut down government websites, though there was no indication the incidents were related.
A joint police and FSB operation searched 25 addresses, detaining 14 people, the FSB said, listing assets it had seized including 426 million rubles, $600,000, 500,000 euros, computer equipment and 20 luxury cars.
The arrests on Friday were a rare apparent demonstration of collaboration between Russia and the United States, and the come at a time of high tensions between the two over Ukraine
A joint police and FSB operation searched 25 addresses, detaining 14 people, the FSB said, listing assets it had seized including 426 million rubles
Russian authorities show off American cash allegedly seized in the raids
The FSB also seized ‘computer equipment, crypto wallets used to commit crimes, and 20 premium cars purchased with proceeds from crime’.
Ransomware suspects were held in Moscow and St Petersburg, and the surrounding regions, and in Lipetsk region, the FSB said.
Russia said that ‘the full composition of the REvil criminal community and the involvement of its members in the illegal circulation of means of payment was established’.
Russia had informed the United States directly of the moves it had taken against the group sought by Washington, the FSB said on its website.
The U.S. Embassy in Moscow said it could not immediately comment.
‘The investigative measures were based on a request from the… United States,’ the FSB said. ‘… The organized criminal association has ceased to exist and the information infrastructure used for criminal purposes was neutralized.’
The FSB shared footage of agents raiding homes and arresting people, pinning them to the floor, and seizing large piles of dollars and Russian rubles.
The group members have been charged and could face up to seven years in prison.
A source familiar with the case told Interfax that the group’s members with Russian citizenship would not be handed over to the United States.
FSB agents are seen taking down a suspected REvil leader in raids this week
In July, President Biden urged Russian leader Vladimir Putin to take action against REvil
The United States said in November it was offering a reward of up to $10 million for information leading to the identification or location of anyone holding a key position in the REvil group.
The United States has been hit by a string of high-profile hacks by ransom-seeking cybercriminals.
A source with direct knowledge of the matter told Reuters in June that REvil was suspected of being the group behind a ransomware attack on the world’s biggest meat packing company, JBS SA.
Washington has repeatedly accused the Russian state in the past of malicious activity on the internet, which Moscow denies.
Russia’s announcement comes during a standoff between the United States and Russia. Moscow is demanding Western guarantees including that NATO will not expand further. It has also built up its troops near Ukraine.
In November, NewsDons.com tracked suspected REvil ringleader Yevgeniy Polyanin, 28, to a chic $380,000 (USD) home in Barnaul where he was seen driving his $74,000 Toyota Land Cruiser 200, evidently feeling untouchable.
Polyanin was named by the FBI as a REvil affiliate but it was unclear whether he was among the suspects rounded up in Friday’s arrests.
Yevgeniy Polyanin was named by the FBI as a REvil affiliate but it was unclear whether he was among the suspects rounded up in Friday’s arrests
Polyanin was spotted by a NewsDons reporter entering his $74,000 Toyota Land Cruiser 200 in his well-appointed home in Barnaul, Siberia in November
Polyanin was living in a chic to a chic $380,000 home in Barnaul as he remains on the FBI’s Most Wanted list
REvil had claimed responsibility for a series of attacks on US businesses.
The unprecedented attack targeting the Miami-based software firm Kaseya, which was reported July 2, affected an estimated 1,500 businesses globally.
The Kaseya attack shut down a major Swedish supermarket chain and ricocheted around the world, impacting businesses in at least 17 countries, from pharmacies to gas stations, as well as dozens of New Zealand kindergartens.
Meanwhile, the attack on JBS saw America’s largest beef supplier end up paying an $11 million ransom in Bitcoin to the hackers who shut down its plants.
JBS learned of the attack early on May 30 after discovering ‘irregularities’ on its servers and a ransom note.
The hack threatened to disrupt meat supplies across the United States over Memorial Day weekend.