The Russian Federal Security Bureau (FSB) on Friday (January 14) announced a crackdown on REvil criminal gang that has attacked US targets ruthlessly in the recent past. The accused have not been named by FSB, but the arrests took place in Moscow, the Lipetsk region south of the Russian capital, and St. Petersburg. The arrests are seen as a rare US-Russian collaboration as tensions are high between the two nuclear nations over Ukraine. One US official quoted by the AFP news agency also praised the arrests, saying: “I want to be very clear – in our mind, this is not related to what’s happening with Russia and Ukraine. I don’t speak for the Kremlin’s motives, but we’re pleased with these initial actions,” she said on condition of anonymity. The law enforcement agency listed REvil assets it had seized including 426 million roubles, $600,000, 500,000 euros, computer equipment, and 20 luxury cars. 

According to Reuters, a Moscow court document identified two of the men as Roman Muromsky and Andrei Bessonov and remanded them in custody for two months. Two people familiar with Muromsky said to the Reuters news agency that he was a web developer who had helped them with websites for their businesses. Last May the ransomware group, along with its affiliates, disrupted JBS, the largest meat producing company in the world. Two months later it attached thousands of businesses by exploiting a vulnerability in the update mechanism of IT services company Kaseya. FSB also seized control of cryptocurrency wallets used by the accused and recouped nearly $1.2 million in foreign cash troves. 

The REN TV, a private Russian channel aired footage of FSB agents raiding homes and arresting people, and seizing large piles of dollars and Russian roubles. In November, Poland arrested a 22-year-old Ukrainian national Yaroslav Vasinskyi accused of conducting the Kaseya attack. Vasinskyi reportedly abused a Kaseya product to deploy REvil code that then spread the group's ransomware via Kaseya’s networks, according to a US Department of Justice indictment. Yevgeniy Polyanin, a 28-year-old Russian national, was also charged with deploying REvil’s ransomware—he’s accused of conducting 3,000 ransomware attacks—and had $6.1 million of his assets seized. “Vasinskyi and Polyanin are charged in separate indictments with conspiracy to commit fraud and related activity in connection with computers, substantive counts of damage to protected computers, and conspiracy to commit money laundering. 

If convicted of all counts, each faces a maximum penalty of 115 and 145 years in prison, respectively,” a US DOJ release in November read. Other Russia-based groups like the notorious DarkSide gang and its successor BlackMatter continue to operate and attack targets. DarkSide is responsible for attacking Colonial Pipeline in May disrupting oil supplies in the eastern US states. “The big question, I suppose, is does this represent a real shift in Russia’s intentions to deal with this problem, or has REvil simply been sacrificed in an attempt to alleviate some international pressure?” Brett Callow, a threat analyst at the antivirus company Emsisoft was quoted by Wired.