Updated Jan 14, 2022 - World

U.S. confirms Russia arrested REvil ransomware hackers

Russian President Vladimir Putin speaking in Moscow in June 2021.

Russian President Vladimir Putin speaking in Moscow in June 2021. Photo: Alexei Nikolsky/TASS via Getty Images

Russia's security agency said Friday it arrested members of the Russia-based cyber gang REvil that was responsible for multiple massive ransomware attacks against U.S. companies last year.

The latest: A senior administration official confirmed on Friday afternoon that Russia informed the U.S. that it arrested the alleged hackers, including an individual responsible for the cyberattack that crippled the Colonial Pipeline.

What they're saying: "I want to be very clear: In our mind, this is not related to what's happening with Russia and Ukraine. I don't speak for the government's motives, but we're pleased with these initial actions," the official said on a call with reporters.

Between the lines: The Colonial Pipeline hack, which was the largest cyberattack on an oil infrastructure target in U.S. history, was originally attributed to the ransomware gang DarkSide. The arrest of the alleged REvil member likely reflects the amorphous nature of these types of criminal groups.

Why it matters: Russia's Federal Security Service said the arrests were made based on an appeal from the United States, marking a rare occurrence of cybersecurity coordination between the two countries.

  • The security agency did not disclose specifically how many people were arrested, but said that it seized $600,000, 500,000 euros, 426 million rubles, computer equipment, crypto wallets that were used to commit cybercrimes and 20 cars purchased with illegally obtained money.
  • The U.S. does not have an extradition treaty with Russia, but the senior official said that the administration's "expectation" is that Russia will be "pursing legal action within its own system" to hold the suspects accountable.

The big picture: The news of the arrests came as a surprise to many observers, given the grim state of U.S.-Russia relations after this week's failed diplomatic talks over European security and Ukraine.

  • REvil's servers had been on and offline for several months after first mysteriously going down in July 2021 — roughly two weeks after the group launched a large-scale ransomware campaign against software provider Kaseya that affected more than 1,500 companies.
  • The Justice Department in November charged two suspected hackers — Yaroslav Vasinskyi, 22, and Yevgeniy Polyanin, 28 — that were allegedly involved in attacks by REvil.
  • On top of the Kaseya campaign, REvil also targeted the major meat supplier JBS in June, forcing it to shut down most of its beef plants across the U.S.

Go deeper: "Massive" cyberattack hits Ukraine's government websites

Editor's note: This story has been updated to reflect the U.S. confirmation.

Go deeper