Russia arrests 14 alleged members of REvil ransomware gang
Russia's domestic intelligence service announced a special operation campaign against the notorious criminal ransomware group, REvil, Friday. According to the Federal Security Service (FSB), Russian authorities raided 25 addresses, resulting in the arrest of 14 individuals and seizure of more than $1 million worth of assets: 426 million rubles, $600,000, 500,000 euros, computer equipment, crypto wallets and 20 luxury cars.
The Russia-based REvil gang has waged a spate of high-profile attacks on major U.S. and international companies, including the July 4 attack on software company Kaseya and a May ransomware attack on JBS USA, the world's largest meat processing company.
Earlier this year, REvil reportedly demanded $50 million from Apple ahead of its product launch after hacking one of its suppliers, Quanta Computer. Associates of the criminal ransomware group have been linked to the May shut down of Colonial Pipeline, the nation's largest oil producer.
The FSB's announcement came as Ukraine scrambled to respond to a cyber attack shutting down its public-facing government websites, including the homepage for the Foreign Ministry, which temporarily displayed a message warning Ukrainians to "be afraid and expect the worst." Ukraine's security service said, Friday, "there are some signs of involvement [by] hacker groups associated with the Russian secret services."
The FSB claimed those arrested Friday, had "developed malicious software and organized the theft of funds from the bank accounts of foreign citizens and cashed them out, including by purchasing expensive goods on the Internet."
"As a result of the joint actions of the FSB and the Ministry of Internal Affairs of Russia, the organized criminal group ceased to exist," the statement boasted.
The White House acknowledged, Friday, that one of the hackers arrested had been involved in the Colonial Pipeline incident.
"We understand that one of the individuals who was arrested today was responsible for the attack against Colonial Pipeline last spring," a senior administration official briefed reporters, Friday. "We're committed to seeing those conducting ransomware attacks against Americans brought to justice."
The FSB also handed out footage depicting agents raiding homes, tackling suspects to the floor, handcuffing individuals with blurred-out faces and sorting through stacks of Russian rubles.
Suspected REvil hacker Roman Muromsky, 33, has been detained following the raids, though it's unclear if the former leader of cybercriminal gang EvilCorp appears in the handout video.
Moscow's Tverskoi District Court has placed the Muromsky, a Russian national suspected of illegal trafficking of means of payment, in custody for two months.
"The court has granted the motion from the investigation to select two-month custody until March 13 as a measure of restraint for Roman Gennadyevich Muromsky," court spokesperson Kseniya Rozina said Friday. The court has also jailed Andrei Bessonov, Russian news agencies reported, Friday.
But Russia won't extradite to the U.S. those members of the REvil hacker group who have Russian citizenship, a knowledgeable source told Interfax Friday.
"The law of the Russian Federation prohibits extradition of Russian citizens to a foreign state," the source said, without specifying whether all the detained hackers were Russian nationals.
In their statement, the FSB said Friday's investigation came at "the request of competent US authorities," who were later "informed about the results of the operation."
The U.S.-Russia collaboration marks a bright spot in an otherwise tense moment for the two countries, following a week of failed diplomatic efforts to curb Russia's military buildup bordering on Ukraine. As Ukraine's communication intelligence service responds to the cyberattacks targeting as many as 70 of its websites, U.S. and Ukrainian officials tell CBS News that the Kremlin is actively preparing the battlefield by using information warfare.
"These arrests are another example of the significant actions taken by the United States to curb the multifaceted extortion crisis. Threat actors are reevaluating whether they should continue their criminal activities in light of the arrests and indictments," Charles Carmakal, SVP and CTO of Mandiant told CBS News.
"Still, the timing is strange here," Ken Westin, Director of Security Strategy for Cybereason cautioned, in an interview with CBS News. The Russian-led raids "could be a smokescreen or red herring."
"Taking down a ransomware leader is like cutting the head off a hydra," Westin added. "New leaders will step in to fill the void. The relationship between ransomware gangs and Russian APT groups are well known and the true actors behind these groups will continue to operate with impunity."
On Thursday, prior to public reports of the Russian-led REvil operation, U.S. Secret Service cyber chief Jeremy Sheridan told the Washington Post that ransomware criminal actors often mature, evolve or adjust, reappearing under different facades.
"With these small groups working with illicit exchanges, there's an expression that a colleague of mine uses," Sheridan said. "It's the same 200 people chasing the same 200 people. There are certainly the influx of new actors in this space. But a lot of times what we see with a new variant or a new cyberattack, it's the same developers who have just changed their technology to some degree."
Last summer, the State Department offered a reward of up to $10 million for information leading to the identification or location of key REvil group leaders.
In November, Attorney General Merrick Garland announced seizure of more than $6 million in cryptocurrency after REvil leader and Russian national Yevgeniy Igorevich Polyanin, scooped up $13 million from ransomware victims. The suspected "author" of the REVIL ransomware, Polyanin, has been charged with 14 counts of conspiracy to commit fraud, intentional damage to a protected computer, and money laundering.
CBS News has reached out to the Department of Justice, FBI and National Security Council for comment.
Margaret Brennan, Arden Farhi, Dan Patterson and Rob Legare contributed to this report.