As it became known to the telegram channel of the Cheka-OGPU and Rucriminal.info, the FSB of the Russian Federation began to carry out active operational measures against members of the REvil hacker group in August 2021. And in September, the Investigative Department (SD) of the Ministry of Internal Affairs of the Russian Federation filed petitions with the court to seize items and documents containing state or other secrets protected by federal law, as well as to seize information about deposits and bank accounts of persons who were participants in REvil. In January 2022, as part of a case already initiated by the SD, the FSB carried out detentions. Active work, including investigative work, began shortly after Joe Biden, during a telephone conversation with Vladimir Putin in July 2021, called on Russia to take measures to stop the activities of hackers operating on its territory, “and emphasized that he was determined to continue combat the broader threat posed by ransomware.”
The Kremlin then reported that Putin had declared Russia's readiness "to jointly suppress criminal manifestations in the information space," but in the last month there were no such appeals from US departments.
The conversation was about REvil.
In 2021, several major cyberattacks were made against US businesses and companies, which brought them to a halt. One of the loudest is the attack on the Colonial Pipeline, the largest pipeline network on the US East Coast for the supply of gasoline, diesel fuel and other petroleum products. The pumping of oil products was stopped for several days. In June 2021, all the factories of the largest meat producer JBS S.A. got up in the USA due to a cyber attack. As a result, the management of Colonial Pipeline paid the cybercriminals a ransom of 75 bitcoins ($4.5 million at the time of the transaction).
And so the July conversation between the two presidents led to the fact that in Moscow, St. Petersburg, Moscow, Leningrad and Lipetsk regions, an operation was carried out against REvil participants
As a result of a complex of coordinated investigative and operational search activities, funds were seized at 25 addresses at the places of residence of 14 members of the organized criminal community: over 426 million rubles, including in cryptocurrency, 600 thousand US dollars, 500 thousand euros, as well as computer equipment, crypto wallets used to commit crimes, 20 premium cars purchased with money obtained from crime.
The Tverskoy court arrested Muromsky and Bessonov for two of the Revil members. The United States has already announced that the detainees were involved in the attack on the Colonial Pipeline.
What is known about the hacker group REvil?
REvil Hackers is one of the most resonant hacker groups in the world. Members of the group have carried out some of the largest cyberattacks in recent years demanding a ransom for unlocking systems. The main method of the gang's work: hackers, by encrypting data, block entire systems of companies around the world. Hackers ask for millions of dollars to regain access to damaged computer systems.
On November 8, 2021, the American authorities announced that they had arrested one of the REvil participants, a citizen of Ukraine, Yaroslav Vysinsky, in Poland. At the same time, they said they seized $6.1 million that they linked to alleged ransom payments received by 28-year-old Evgeny Polyanin, a Russian citizen who was also accused of carrying out Sodinokibi/REvil ransomware attacks against several victims, including businesses and government institutions in Texas.
According to court documents, Vasinsky is allegedly responsible for the July 2 ransomware attack on Kasey's company.
“In the attack on Kaseya, the prosecution alleges that Vasinsky caused the deployment of the Sodinokibi/REvil malicious code in the Kaseya product, which caused Kaseya’s production functionality to deploy REvil ransomware to “endpoints” on Kaseya customer networks. After remote access to Kaseya endpoints was installed, ransomware was launched on these computers, resulting in data encryption on the computers of organizations around the world that used the Kaseya software. Using the Sodinokibi/REvil ransomware, the defendants allegedly left electronic notes as a text file on victims' computers. The notes included a web address leading to an open source privacy network known as Tor, as well as a link to a publicly accessible website address that victims could visit to recover their files. When visiting any website, the victims were given a ransom note and provided a virtual currency address to pay the ransom. If the victim paid the ransom, the defendants provided a decryption key, after which the victims could access their files. If the victim did not pay the ransom, the defendants usually released the victim's stolen data or and claimed that they sold the stolen data to third parties, and the victims could not access their files, ”then wrote in an official press release in the United States.
If found guilty on all counts, Vysinsky and Polyanin face maximum sentences of 115 and 145 years in prison, respectively.
On October 8, Vasinsky was taken into custody in Poland, where he remains in custody. His lawyer, Arkady Bukh, told the VChK-OGPU telegram channel that they are now trying to prevent the extradition of the accused to the United States in the first place.
“First of all, we are trying to challenge the request for his extradition to the United States. Yaroslav Vasinsky does not admit his guilt. We are now trying to get him released on bail.” - says lawyer Arkady Bukh.
“In general, the history of REvil is rooted in an amazing psychological effect that took place before. It goes back to the era of 10-15 years ago, when many hackers were mainly engaged in bank robbery.
Banks were already quite difficult to rob even then: they had a cybersecurity system more or less established already in those days. At the same time, almost all large and medium-sized companies practically did not protect themselves from cyber attacks. And so began the era of hackers who trained at mediocre companies. They hacked them and extorted money to give them back access to the hacked systems. Actually, this is what REvil members are now accused of,” says Arkady Bukh.
On January 14, 2022, the FSB announced the final defeat of REvil.
To be continued