Russia's domestic intelligence service, the FSB, said Friday that it has arrested members of REvil, one of the world’s most destructive ransomware gangs.
The arrests are the first time Russia has publicly taken action against one of the major ransomware groups that for years has seemed to have had free rein to hack foreign targets, especially in the United States, locking their computers and extorting payments. But many experts caution that the arrests may reflect an attempt by the Kremlin to deflect attention from its ongoing escalations with Ukraine.
REvil is one of the most prolific of the many groups tied to Russia that have made a fortune hacking foreign organizations. Its victims included JBS, the world’s largest beef supplier, and the software company Kaseya, a particularly far-reaching hack that gave it access to thousands of victims. The U.S. Department of the Treasury said in November that the group had received more than $200 million in extortion payments.
To a degree, the arrests mark a foreign policy win for the U.S., which tracks cybercriminals around the world and often works with allies to arrest and extradite them. But many cybercriminals reside in Russia, which does not extradite its citizens and often doesn’t arrest them for hacking foreign targets, frustrating U.S. efforts to crack down on ransomware.
While the U.S. has been openly skeptical of Russia’s seriousness in countering ransomware as a global problem, leaving it out of a 30-country online summit on the topic, it also has repeatedly met with Kremlin representatives directly to try to convince them to take action against cybercriminals within Russia's borders.
In a call with reporters Friday afternoon, a senior White House official, who requested to not be named as terms of participating in the call, described the arrest as an unqualified success.
"In our mind, this is not related to what’s happening with Russia and Ukraine," the official said.
The White House believes that one of those arrested was responsible for the ransomware attack on the Colonial Pipeline, the official said. At the time, that attack was claimed by the ransomware group known as DarkSide, though hackers often rapidly adopt and drop pseudonyms.
The White House official attributed the arrest to efforts by President Joe Biden since the summer to put pressure on Russian President Vladimir Putin to take action on cybercriminals inside his country and for increased information sharing between the U.S. and Russia.
In its announcement, the FSB said its investigation was prompted by "the appeal of the competent U.S. authorities."
The arrests come months after REvil had already appeared to cease activity, in the wake of the U.S. reportedly launching its own cyberattacks against the group.
The timing of the FSB’s announcement is suspicious, cybersecurity and Russia experts said, as it comes four days after recent talks between the U.S. and Russia about Moscow’s potential invasion of Ukraine seemed to fail to reach a breakthrough. On Thursday night, Ukrainian government websites suffered a cyberattack from an unidentified perpetrator. Russia has denied it was responsible but has also denied being behind previous similar attacks that Western governments and cybersecurity experts widely believe it did conduct.
Gavin Wilde, a geopolitical analyst and Russia expert at the Krebs Stamos Group, a cybersecurity company, said the arrests appear to be strategically motivated.
“The FSB has been known to make big splashy arrests for their domestic propaganda value,” he said.
“The idea here may very well be to signal some degree of leverage or prospect to the U.S.,” Wilde said.
Russia's Ministry of Foreign Affairs didn't immediately respond to a request for comment.
Philip Reiner, the CEO of the Institute for Security and Technology, a San Francisco think tank behind an influential report on how the U.S. can fight ransomware, questioned why the announcement didn’t come earlier.
“While we will always welcome arrests like these, and it would seem some political pressure may be paying off, the timing is clearly circumspect while likely Russia-tied actors are defacing Ukrainian official websites and threatening the personal information and lives of the Ukrainian people,” he said. “Initially it seems great, but simultaneously a spit in the face by the Russians. Why didn’t this happen in summer when it could have?”