Russian Security Takes Down REvil Ransomware Gang

High-profile busts by U.S. law enforcement agencies, such as the FBI and their Eastern European counterparts, have become more common going into 2022. However, we rarely hear the same of Russian security forces. In fact, we are more accustomed to hearing about Russian nation-state actors conducting international cyberattacks of their own.

Perhaps more surprisingly, Russia’s Federal Security Service (FSB) carried out the sting operation at the behest of U.S. authorities.

The REvil gang has been one of the most notorious and active ransomware threat actors in recent years. The operation was publicly announced by the FSB on 7 January 2022.

Also known as “Sodinokibi,” the REvil ransomware has been behind several highly publicized ransomware attacks:


Developing an effective response capability to ransomware requires taking specific steps for prevention, preparation, detection, verification, containment, eradication, and recovery. With LIFARS Ransomware Response Package, you will have the tools, processes, and team at your disposal to stand ready for even the most devious ransomware attack.


REvil has been known to use many different attack vectors, such as spam/phishing campaigns, and offering fake software in the form of updates or software cracking tools that end up being Trojans or the ransomware itself.

Typically, the gang will demand a ransom of $2,000 to $5,000. However, they have recently scaled up their attacks. In the Apple case, they demanded a massive ransom to the tune of $50 million. They’ve also started employing other tactics, such as selling stolen IP back to victims or threatening to leak valuable IP online.

It’s no surprise then that REvil has been at the top of authorities’ most wanted list for some time.

According to local reports, the FSB raided 25 locations in Leningrad, Lipetsk, Moscow, and St. Petersburg. Fourteen of the alleged cybercriminals were caught, and significant assets were confiscated. This includes 20 luxury vehicles, $600,000, €500,000, an undisclosed amount of cryptocurrency, and more than $5.6 million in other assets.

The FSB also stated that they’ve “neutralized” the gang’s infrastructure, and the suspects have so far been charged with “illegal circulation of means of payment.”

The move comes in the wake of a call between U.S. President Joe Biden and his Russian counterpart, Vladimir Putin. The former urged the latter to act on Russian-based cybercriminals targeting U.S. interests.

It’s hoped that this rare example of collaboration between the countries is a sign of renewed efforts to combat international cybercrime and a start of de-escalating tensions between Russia and the U.S.

However, many others suspect that the move against REvil is nothing more than political maneuvering. There have long been suspicions that REvil is, in some way, supported or protected by the Russian authorities. The recent action against them may be nothing more than a political bid to relieve some U.S. sanctions and score more political capital, especially considering Russia’s previous track record of non-action.

After the Kaseya attack, REvil seemed to disappear for nearly two months. However, they soon re-emerged as a Raas (Ransomware-as-a-Service) threat actor, leasing their ransomware to other cybercriminals. Although it’s uncertain what exactly happened to REvil during this time, they seemingly underwent some turmoil. Their lead coder, known only as UNKN (aka Unknown), left the group, and they were alienated by the cybercriminal community for cheating their affiliates out of their share of proceeds.

Whatever the case may be, the fact that one of the most insidious cybercriminal forces of recent years seems to be gone for good is something to be relieved about. However, only time will tell whether this signals a sincere effort by Russia to curb cybercrime or whether it’s merely a politically expedient act.