Getty Images/iStockphoto

Russian Intelligence Agency Arrests REvil Ransomware Gang Members

Russia’s FSB intelligence agency detained multiple individuals associated with the REvil ransomware gang, responsible for the Colonial Pipeline cyberattack.

Russia’s FSB intelligence agency detained 14 people in connection with the REvil ransomware gang, Reuters reported. REvil claimed responsibility for the attack on Colonial Pipeline, which disrupted thousands of miles of the US fuel supply chain and prompted an executive order aimed at improving the nation’s cybersecurity.

REvil was also tied to several cyberattacks on critical infrastructure entities, including those against Kaseya, JBS, and multiple healthcare organizations. In October, a multi-country operation forced the ransomware group offline. The following month, the US Department of Justice (DOJ) announced two indictments connected with the group’s attack on software management company Kaseya.

The FSB domestic intelligence operation searched 25 addresses and detained 14 people as of January 14, Reuters found. The agency also seized $600,000 of computer equipment along with 20 luxury cars.

The arrests occurred at the request of the US in a rare instance of US-Russian collaboration. In November, the US said it would offer a reward of up to $10 million for information leading to the identification of REvil members.

Meanwhile, tensions between the US and Russia continue to mount in the wake of a major cyberattack by Russia aimed at Ukranian government websites.

In early January, the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the Cybersecurity and Infrastructure Security Agency (CISA) released an advisory warning US critical infrastructure of ongoing Russian state-sponsored cyber operations.

“Historically, Russian state-sponsored advanced persistent threat (APT) actors have used common but effective tactics—including spearphishing, brute force, and exploiting known vulnerabilities against accounts and networks with weak security—to gain initial access to target networks,” the advisory stated.

The agencies recommended that critical infrastructure entities take steps to secure networks and improve their security postures. The American Hospital Association (AHA) echoed these warnings.

“Geopolitical tensions with Russia over the Ukraine and other issues seem to be fueling the increased cyber threat posed by Russia. This raises three issues of concern for the field: 1) Hospitals and health systems may be targeted directly; 2) hospitals and health systems may become incidental victims or collateral damage of Russian-deployed malware or destructive ransomware that inadvertently penetrates U.S. health care; and 3) a cyberattack could disrupt a mission-critical service provider to hospitals,” John Riggi, national advisor for cybersecurity and risk at the AHA, explained in a statement.

“This is a good reminder for all to have robust downtime procedures, redundancy and business continuity plans to sustain a loss of on-premises or cloud-based mission-critical services or technology for up to four to six weeks.”

Riggi previously told HealthITSecurity that healthcare organizations should focus on increasing cyber resiliency and readiness.

“Cyber risk isn't going to go away,” Riggi said in the interview.

“It's going to continue to increase, and we need to be prepared with all available solutions, both human, technical, and on the policy level.”

Next Steps

Dig Deeper on Cybersecurity strategies