Moscow said it had cracked down on a ransomware cybercrime group allegedly targeting U.S. companies at Washington’s request.
Russia has dismantled the ransomware crime group REvil at the behest of the United States, detaining and charging members of the group, according to Russia’s Federal Security Service (FSB) domestic intelligence service.
In a statement on Friday, the FSB said it had “suppressed the illegal activities of members of the group” during raids on 25 addresses that swept 14 people.
The arrests are a rare visible sign of U.S.-Russian cooperation at a time when tensions between the two countries are high over Ukraine.
The announcement comes as Ukraine is responding to a massive cyberattack shutting down government websites, but there is no indication that the incidents are related.
“We understand that one of the individuals arrested today was responsible for the attack on the Colonial Pipeline last spring,” a senior administration official told Reuters on condition of anonymity.
A cyber attack on the Colonial Pipeline in May, which led to a general shortage of natural gas on the U.S. East Coast, used encryption software called DarkSide, developed by REvil employees.
A U.S. official was quoted by AFP as saying: “I want to be very clear – in our view, this has nothing to do with what happened in Russia and Ukraine.
“I do not represent the Kremlin’s motives, but we are comfortable with these initial actions,” she said on condition of anonymity.
“We are also very clear – if Russia invades Ukraine further … we will coordinate with our allies to make Russia pay dearly.”
The FSB listed its seized REvil assets, including 426 million rubles, $600,000, 500,000 euros, computer equipment and 20 luxury cars.
A Moscow court identified two of the men as Roman Muromsky and Andrei Besonov and remanded them for two months.
Two people familiar with Muromsky told Reuters he was a web developer who helped them develop websites for their businesses.
US has no official comment
Russia has directly informed Washington of its actions against the group, the FSB said. The U.S. embassy in Moscow said it could not immediately comment.
“The investigative measures are based on … a request from the United States,” the FSB said. “…Organised criminal organisations have ceased to exist and the information infrastructure used for criminal purposes has been dismantled.”
The REN TV channel showed footage of agents raiding houses and arresting people, pinning them to the floor and confiscating large amounts of dollars and Russian rubles.
Members of the groups have been charged and could face up to seven years in prison, the FSB said.
A source familiar with the case told Russia’s Interfax news agency that Russian citizen members of the group would not be handed over to the United States.
The United States said in November it was offering up to $10 million for information that could identify or locate anyone in a key position within the REvil group.
The country has been hit by a series of high-profile hacks by cybercriminals seeking ransom. A source with direct knowledge of the matter told Reuters in June that REvil was implicated in a ransomware attack on JBS SA, the world’s largest meatpacking company.
Washington has repeatedly accused the Russian government of malicious activity on the Internet in the past, which Moscow denies. For several months, REvil has not been associated with any major attacks.
Muromsky, who was arrested in Friday’s raid, was in his 30s and was born in Anapa in southern Russia, a client of Muromsky told Reuters. “He’s an ordinary programmer.”
Another customer, Adam Guzuyev, described Muromsky as “an ordinary ordinary worker” who proved unable to install all the features Guzuyev wanted on his website.
“He earned no more than 60,000 rubles. I can’t say he has the capacity for genius,” he said.