MOSCOW >> Russia’s main security agency said Friday that at the request of the U.S. government it had dismantled REvil, one of the most aggressive ransomware crime groups attacking Western targets, and arrested some of its members.
The agency, known as the FSB, said “the organized crime gang ceased to exist” after a sweeping operation that was carried out in 25 locations across five Russian regions. The raids followed multiple requests by the Biden administration for the Kremlin to help shut down such groups.
The arrests were announced on the same day that the U.S. government accused Russia of sending saboteurs into Ukraine to create a pretext for invasion and that hackers shut down dozens of Ukraine’s government websites — an attack that Ukrainian officials suggested had originated in Russia.
A senior Biden administration official said the Russian sweep of REvil had no bearing on the building tension over security in Europe and the fate of Ukraine, with Russia massing troops near Ukraine’s borders and demanding that NATO pull back in Eastern Europe. But it is not clear whether the Kremlin sees this rare example of cooperation between the two countries as unrelated to Ukraine.
The official, speaking on condition of anonymity to brief reporters, said the administration believed one of those arrested Friday was involved in a ransomware hack last year that shut down the Colonial Pipeline, a major artery of fuel for the eastern United States. That attack was attributed to a group called DarkSide that is also believed to operate in Russia and to have ties to REvil.
In July, President Joe Biden warned President Vladimir Putin of Russia that the country could face grave consequences if it did not act swiftly on neutralizing groups such as REvil. In November, the State Department announced it was offering a reward of up to $10 million for information about REvil’s leaders.
Later Friday, a court in Moscow placed in custody two members of the group, identified by Interfax, a Russian news agency, as Andrei Bessonov and Roman Muromsky. Russian authorities did not describe the men’s roles in REvil or say what evidence linked them to the group.
The FSB did not say how many people it had arrested or whether they included the group’s leaders. It remains to be seen whether the operation really spells the end of REvil; in the past, such groups have reorganized under new names.
U.S. officials have said that while the Kremlin could shut down hacker groups like REvil, it tolerates or even encourages them as long as their targets are outside Russia.
In July, following Biden’s ultimatum, REvil went offline, fueling speculation about whether the Kremlin had ordered the group to go quiet, the United States or its allies had managed to disrupt its operations, or the group itself had decided to go underground, fearing that the heat had become too intense.
However, it resurfaced two months later, reactivating a portal victims use to make payments. In October, it was again forced offline, temporarily, by a counterhacking effort mounted by the governments of several countries, including the United States.
REvil, short for “ransomware evil” has been one of the most notorious ransomware hacking groups sought by U.S. law enforcement. Ransomware groups hack into a victim’s computer system and encrypt its data, effectively locking out the owners, and extort them for money — sometimes millions of dollars, paid in cryptocurrency — in return for reversing the encryption.
U.S. intelligence agencies identified REvil as responsible for the attack on one of the largest U.S. beef producers, JBS, in June, forcing the shutdown of nine beef plants. In the end, JBS said it had paid an $11 million ransom in Bitcoin. The operator of the Colonial Pipeline paid almost $5 million in Bitcoin.
REvil also took credit for what was described as the biggest ransomware hack ever in July, affecting up to 1,500 businesses around the world.
The organization boasted about its attacks on its site — called “Happy Blog” — on the dark web, where it listed some of its victims and earnings from its digital extortion schemes.
In September, a report by cybersecurity company Recorded Future said Russian intelligence officials have long-standing ties to cybercrime groups. “In some cases, it is almost certain that the intelligence services maintain an established and systematic relationship with criminal threat actors,” the report said.
On Friday, the FSB said in a statement that it had informed the U.S. government of the sweep against REvil, including searches of the residences of 14 group members, adding that it had seized more than $5.5 million in rubles, dollars, euros and cryptocurrencies, as well as 20 luxury cars.
REvil, the FSB said, had “developed malware, organized the theft of funds from bank accounts of foreign citizens, and also cashed them out, including by buying expensive goods online.”
Footage of the arrests, aired by Russian news channels, showed agents breaking into apartments and pushing young men to the floor and handcuffing them. The video also showed large piles of dollars and rubles being seized and counted, and masked agents looking through confiscated computers.
This article originally appeared in The New York Times.