REvil ransomware gang busted by Russian Federal Security Service

REvil ransomware gang busted by Russian Federal Security Service

Eight members of the REvil ransomware group have been arrested in Russia and will be pressed with criminal charges.

Russia’s intelligence bureau, the FSB, announced on Friday that it had conducted an operation together with the Interior Ministry in Moscow, St. Petersburg, and the regions of Moscow, Leningrad and Lipetsk to detain the gang members.

In total, the FSB raided 25 homes of 14 members of the group and seized more than 426 million rubles ($5.6 million) including $600,000 in cryptocurrency; €500,000; computer equipment, the crypto wallets that were used to perpetrate crimes, and 20 luxury cars that were purchased with illicitly obtained money.

Eight of the suspects have been indicted. They are suspected of committing a crime stipulated under Part 2 of Article 187 of Russia’s Criminal Code (‘Illegal Circulation of Payments’).

US input

The FSB began the investigation after receiving information from US agencies about a criminal group and its involvement in attacks on foreign high-tech companies, by implanting malware, encrypting data and extorting money for its decryption. Based on the information provided, the FSB managed to identify all members of the REvil gang, document their illegal activities, and establish their participation in “illegal circulation of means of payment.”

The question about whether the arrests are a direct result of the pressure the Biden administration has been applying on Russian President Vladimir Putin to move against ransomware groups operating in Russia will probably never receive an official Russian answer. The United States government hasn’t indicate how it planned to respond to attacks emanating from Russia, but in July 2021 Biden hinted at digital retaliation if Russian cooperation was not forthcoming.

A Kremlin statement back then said Putin told Biden that Russia had not received any requests from the relevant US departments in the last month, and said that Russia was ready to jointly stop crime.

Now it looks like that might have happened, and hopefully not for the last time. There are many other ransomware groups believed to be based in the CIS.


We have talked about REvil here many times. Among other articles, you can find a threat spotlight from 2019, and a detailed report about REvil’s supply chain attack against Kaseya. That one even made it into the three most significant cyberattacks of 2021.

According to the FSB, as a result of the joint actions of the FSB and the Ministry of Internal Affairs of Russia, the REvil gang now ceases to exist after their information infrastructure used for criminal purposes was neutralized.

A lot of writing and speculation has been done about REvil’s origin, whether the gang would come back after a part of their infrastructure was shut down, or when affiliates were arrested. So, if you ask us whether this will be the end of REvil, it’s hard to give a definitive answer.

But whether the gang reopens operations under the same name, or whether it spawns a new organization under new management, the result will be the same. The infection methods, the extortion tactics, and the merciless attacks will undoubtedly continue.

Stay safe, everyone!


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.