Russia Arrests Hackers Tied to Major U.S. Ransomware Attacks, Including Colonial Pipeline Disruption

The arrests included “the individual responsible for the attack on Colonial Pipeline last spring,” a particularly devastating ransomware offensive that led to the main conduit of fuel on the U.S. East Coast being shut down for days, a senior Biden administration official said. A different Russian ransomware gang had previously been linked to the Colonial hack, but security experts and officials have said they are not neatly defined and that individual hackers often overlap.

“We welcome reports the Kremlin is taking law enforcement steps to address ransomware within its borders,” the official said.

TASS, the Russian state news agency, said 14 members of REvil had been arrested. A Russian government video published online by TASS Friday showed clips of Russian law enforcement forcibly entering apartments, detaining suspects whose faces are blurred out, and counting large bundles of Russian and American currency. TASS identified one of the people arrested as Roman Muromsky.

Analysts said the timing of the action was notable because it arrived alongside rising tensions between Russia and Ukraine, as U.S. and NATO efforts so far to ease the situation appear to have faltered.

“This is Russian ransomware diplomacy,” said Dmitri Alperovitch, chairman of the Silverado Policy Accelerator, a Washington-based cybersecurity think tank. “It is a signal to the United States—if you don’t enact severe sanctions against us for invasion of Ukraine, we will continue to cooperate with you on ransomware investigations.”

The senior administration official said the crackdown on Friday “is not related to what’s happening with Russia and Ukraine,” and that the U.S. has been clear what penalties Moscow will face if it invades its neighbor.

The Russian Embassy in Washington declined to comment and only referred back to the FSB press release.

The operation against REvil would amount to the most significant action Russia has taken against ransomware gangs that operate within its borders. The group is one of the most notorious ransomware gangs in Russia and was blamed for major attacks last year in the U.S. that disrupted operations at a major meat supplier, for which it netted a ransom payment of $11 million, and another attack that affected about 1,500 businesses.

U.S. officials have long accused Russia of claiming to prosecute hackers and other criminals that they later release and enlist to help in their government cyber operations.

While the arrest of 14 alleged ransomware hackers seems like a significant breakthrough in diplomatic relations, it may merely be intended as a gesture by Russia to placate the U.S. ahead of possible Ukraine-related sanctions, said Gary Warner, director of threat intelligence with the cybersecurity firm DarkTower. “It probably does not mean that a new era of cybercrime cooperation has opened.”

Russia ceased cooperation with U.S. authorities on investigations about eight years ago, around the time of Russia’s annexation of Crimea and U.S. sanctions that resulted, he said.

President Biden last year identified ransomware attacks emanating from Russia to be a top national security threat, and he has repeatedly pressured Russian President Vladimir Putin to crack down on criminal ransomware groups. Ransomware is a type of malicious cyberattack that locks up a computer system and holds data until the victim pays a ransom, typically in cryptocurrency.

Since last summer, U.S. and Russian officials have held several bilateral conversations to discuss the issue. Some of those conversations included the U.S. sharing specific names and intelligence with Russia about hackers identified as ransomware operators, officials familiar with the conversations have previously said.

U.S. officials have offered at times mixed messages about whether Russian ransomware attacks have fallen as a result of the administration’s diplomatic efforts, but until now there has been little public evidence that Moscow was cooperating.

The announcement of the crackdown came amid a growing buildup of Russian troops and military equipment at its border with Ukraine, as the U.S. and western allies have tried unsuccessfully to ease tensions between the neighbors. Ukraine also said Friday it had been hit by a cyberattack that had knocked several of its government websites offline. It wasn’t clear who was responsible.

In its press release the FSB said it had seized REvil’s cash, cryptocurrency wallets used in the alleged criminal operations, and 20 “premium cars” purchased with the group’s stolen money.

First discovered in the spring of 2019, REvil has emerged as one of the most prevalent ransomware families, security experts say. Its creators essentially rent their malicious software out, allowing hackers—called affiliates—who have already broken into corporate networks to deploy the software.

But the group’s operations have been under pressure from law enforcement. In July, the group temporarily ceased operations and the anonymous person who had served as its spokesperson vanished from online forums. The group returned online, only to vanish again in October after its online operations were again closed.

The Justice Department said in November it had seized $6.1 million in digital currency it said was tied to proceeds of an alleged REvil operator and Russian national, Yevgeniy Polyanin, while it unsealed an indictment against him.

The action coincided with an arrest in Poland of a Ukrainian national on charges he had launched the REvil ransomware attack on technology company Kaseya Ltd., which disrupted about 1,500 mostly small- and medium-size businesses in July. Europol, the European Union’s law-enforcement agency, said at the same time authorities in Romania had arrested two other people in connection with REvil.

Write to Dustin Volz at [email protected] and Robert McMillan at [email protected]