White House officials told reporters on Friday that the person behind the ransomware attack on Colonial Pipeline last year was arrested as part of the larger raid against the REvil ransomware group by Russian law enforcement on Friday, confirming reporting from The Washington Post.
On Friday afternoon, Washington Post reporter Ellen Nakashima said a US official told her that the person specifically behind the Colonial Pipeline attack was seen in a video shared by Russia's Federal Security Service (FSB) of the raid on an apartment building.
Multiple men are seen in the video, so it is unclear exactly which man is being referred to, but the White House later held a call with reporters and confirmed that one of those arrested was the specific person behind the Colonial Pipeline attack.
The FSB and the Ministry of Internal Affairs of Russia raided 25 different locations across Moscow, St. Petersburg and Lipetsk, arresting 14 people allegedly involved with REvil's operations.
The FSB said in a statement that many of those detained are now facing charges and noted that 20 luxury cars, 426 million rubles, $600,000 US dollars and Є500,000 in Euros were seized during the raids. Police also took computer equipment and gained access to several crypto wallets.
REvil and a closely-associated ransomware group called DarkSide were behind some of the biggest ransomware attacks in the US throughout 2021, including attacks on Colonial Pipeline, global food supplier JBS and IT developer Kaseya.
The US has spent months pressing Russia to do more to stop ransomware gangs from operating within their borders, and President Joe Biden personally discussed the issue with Russian President Vladimir Putin.
On Friday, Russia said it conducted the raid at the request of US officials who provided troves of evidence about the leader of REvil and other operators within the group.
Two men, Roman Muromsky and Andrei Bessonov, were named by Russian news outlets as members of the group, and video emerged online of the two in court.
In November, several members of REvil were arrested by Romanian authorities while US officials from the Justice Department, Treasury, and FBI announced a slate of actions taken against other members of the group as well as sanctions against organizations helping ransomware groups launder illicit funds.
According to the DOJ, in addition to the headlining attacks on Kaseya and JBS, REvil is responsible for deploying its ransomware on more than 175,000 computers. The group allegedly brought in at least $200 million from ransoms.
REvil closed shop for the second time in October after saying the pressure from law enforcement had gotten too great for them to continue their operation. They originally shut down their operations in July after the attack on Kaseya affected more than 1,000 organizations around the world and led to offensive cyberattacks by multiple governments.
John Shier, senior security advisor at Sophos, said the arrests are unusual given Russia's past stance on ransomware crimes, noting that the timing was curious considering the cyberattacks conducted against Ukraine today.
"The news comes at a time when political tensions between the two governments are running high, and it's easy to be cynical about the motive. At a time when Russia needs a little geopolitical goodwill, they arrest individuals associated with a defunct ransomware group," Shier said.
"If nothing else, it serves as a warning to other criminals that operating out of Russia might not be the safe harbor they thought it was. "
Digital Shadows' Chris Morgan said the arrests "shatter previous perceptions about the role of Russian authorities in tackling ransomware." Like Shier, he said the timing was suspicious and that the FSB's statement that the searches were carried out following "an appeal from the relevant US authorities" potentially represents a backhanded message highlighting that Russian authorities can be used to stop ransomware activity, but only under certain circumstances.
"It's likely that the arrests against REvil members were politically motivated, with Russia looking to use the event as leverage; it could be debated that this may relate to sanctions against Russia recently proposed in the US or the developing situation on Ukraine's border," Morgan said.
"The fact that the FSB targeted REvil, who have not been publicly active in conducting attacks since October 2021, is also significant; chatter on Russian cybercriminal forums identified this sentiment, suggesting that REvil were 'pawns in a big political game,' while another user suggested that Russia made the arrests 'on purpose' so that the United States would 'calm down.' It's possible that the FSB raided REvil knowing that the group were high on the priority list for the US while considering that their removal would have a small impact on the current ransomware landscape. These arrests could also have served a secondary purpose as a warning to other ransomware groups. REvil made international news last year in its targeting of organizations such as JBS and Kaseya, which were high profile and impactful attacks; a very public series of raids could be interpreted by some as a message to be mindful of their targeting."
Josh Lospinoso, a former US Cyber Command officer, told ZDNet that Russia is likely throwing REvil under the bus, taking the group down in order to claim they are taking this onslaught of cyber-physical critical infrastructure attacks seriously.
REvil and other ransomware gangs were taken down in the past have often sprung back into action, Lospinoso explained.
"Leveraging cyber operations is a textbook Russian strategy during geopolitical negotiations -- whether that takes the form of launching offensive campaigns or playing the 'good guy' like we're seeing here -- as it gives the country plausible deniability and levels the playing field with more economically and militaristically powerful countries," Lospinoso said.