{
	"id": "2e7e33e1-fecd-4611-accb-a4ca4456fcf2",
	"created_at": "2026-04-06T00:21:43.150307Z",
	"updated_at": "2026-04-10T13:12:06.498923Z",
	"deleted_at": null,
	"sha1_hash": "a282fcdcae4a7cb305fb137fc2aab897683be069",
	"title": "Russia arrests REvil ransomware gang members, seize $6.6 million",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 847041,
	"plain_text": "Russia arrests REvil ransomware gang members, seize $6.6 million\r\nBy Ionut Ilascu\r\nPublished: 2022-01-14 · Archived: 2026-04-05 13:25:51 UTC\r\nThe Federal Security Service (FSB) of the Russian Federation says that they shut down the REvil ransomware gang after\r\nU.S. authorities reported on the leader.\r\nMore than a dozen members of the gang have been arrested following police raids at 25 addresses, the Russian security\r\nagency says in a press release today.\r\n“The basis for the search activities was the appeal of the competent US authorities, who reported on the leader of the\r\ncriminal community and his involvement in encroachments on the information resources of foreign high-tech companies by\r\nintroducing malicious software, encrypting information and extorting money for its decryption” - Russia’s Federal Security\r\nService\r\nRussian authorities have detained 14 individuals suspected to be part of the REvil ransomware-as-a-service (RaaS) operation\r\nand confiscated cryptocurrency and fiat money as follows:\r\nhttps://www.bleepingcomputer.com/news/security/russia-arrests-revil-ransomware-gang-members-seize-66-million/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/russia-arrests-revil-ransomware-gang-members-seize-66-million/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nmore than 426 million rubles (approximately $5,5 million)\r\n600 thousand US dollars\r\n500 thousand euros (approximately $570,000)\r\nRussian authorities also confiscated 20 luxury cars purchased with money obtained from cyberattacks, computer equipment\r\nand cryptocurrency wallets used to develop and maintain the RaaS operation.\r\nFootage from the raids available below shows how officers detained the suspects and confiscated money and electronics:\r\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nThe raids took place at addresses in Moscow, St. Petersburg, Leningrad, and Lipetsk regions.\r\nThe FSB says that it was able to identify all members of the REvil gang, documented their illegal activities, and\r\nestablish their participation in “illegal circulation of means of payment.”\r\nApart from creating the file-encrypting malware and deploying it on enterprise networks across the globe, REvil members\r\nwere also involved in stealing money from the bank accounts of foreign citizens.\r\n“As a result of the joint actions of the FSB and the Ministry of Internal Affairs of Russia, the organized criminal community\r\nceased to exist, the information infrastructure used for criminal purposes was neutralized” Russia’s Federal Security Service\r\n The FSB says that they informed the representatives of the competent U.S. authorities about the results of the operation.\r\nREvil ransomware crumbles\r\nREvil ransomware (aka Sodin and Sodinokibi) emerged in April 2019 from the void left behind by the shut down of the\r\nGandCrab operation.\r\nIn less than a year, the gang became the most prolific ransomware group, asking for some of the highest ransoms from its\r\nvictims. It rose to infamy in August 2019 when it hit multiple local administrations in Texas and demanded a collective\r\nransom of $2.5 million - the highest to that date.\r\nSoon, asking for huge amounts of money from large organizations and getting paid became the norm. In a year, the gang\r\nclaimed profits in excess of $100 million.\r\nREvil's most publicized hit was the Kaseya supply-chain attack that crippled around 1,500 businesses all over the world. The\r\nransom demand to decrypt all organizations was $70 million in Bitcoin.\r\nThis attack prompted a stern response from the U.S., with President Biden asking President Putin to take action against\r\ncybercriminals residing in Russia; otherwise, the U.S. would take action on its own.\r\nThe gang was also the first to have a representative going by the forum name UNKN at first, later switching to Unknown,\r\nwho promoted the REvil RaaS business in the Russian-speaking criminal hacker community.\r\nThis public-facing representative disappeared soon after the Kaseya attack (some assumed Unknown was arrested) and\r\npressure from international law enforcement increased.\r\nAfter the Kaseya attack, the REvil operation took a break and then resumed operations two months later. What the operators\r\ndid not know was that law enforcement had breached their servers before the hiatus and when they restored the systems\r\nfrom backups the criminals also restored machines controlled by law enforcement.\r\nhttps://www.bleepingcomputer.com/news/security/russia-arrests-revil-ransomware-gang-members-seize-66-million/\r\nPage 3 of 4\n\nFSB's action against REvil comes after the U.S. and international law enforcement organizations joined forces to identify\r\nand arrest members of ransomware operations.\r\nAs a result, the U.S. announced in November 2021 that it had arrested a REvil ransomware affiliate (Ukrainian national\r\nYaroslav Vasinskyi) responsible for the Kaseya attack and seized over $6 million from another Revil partner (Russian\r\nnational Yevgeniy Polyanin), believed to have deployed about 3,000 ransomware attacks.\r\nThe same month, authorities in Romania arrested two REvil ransomware affiliates responsible for 5,000 attacks that brought\r\nthem EUR 500,000 from collected ransoms.\r\nUpdate [January 14, 2022, 13:26 EST]: Added background information about the REvil ransomware gang and arrests of\r\nits affiliates\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/russia-arrests-revil-ransomware-gang-members-seize-66-million/\r\nhttps://www.bleepingcomputer.com/news/security/russia-arrests-revil-ransomware-gang-members-seize-66-million/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/russia-arrests-revil-ransomware-gang-members-seize-66-million/"
	],
	"report_names": [
		"russia-arrests-revil-ransomware-gang-members-seize-66-million"
	],
	"threat_actors": [],
	"ts_created_at": 1775434903,
	"ts_updated_at": 1775826726,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a282fcdcae4a7cb305fb137fc2aab897683be069.pdf",
		"text": "https://archive.orkl.eu/a282fcdcae4a7cb305fb137fc2aab897683be069.txt",
		"img": "https://archive.orkl.eu/a282fcdcae4a7cb305fb137fc2aab897683be069.jpg"
	}
}