Four members of the notorious REvil ransomware gang—Andrey Bessonov, Mikhail Golovachuk, Roman Muromsky, and Dmitry Korotayev—were recently released by Russian authorities after serving time in detention for carding and malware distribution charges. They were initially arrested in January 2022 as part of a broader crackdown on the REvil group, which was responsible for some of the most damaging ransomware attacks in recent years.
The four pleaded guilty to participating in the gang’s carding activities, which involved the unauthorized use and distribution of payment card information between October 2015 and January 2022. While they were sentenced to five years in prison, the court determined that the time they had already spent in detention (SIZO) during the investigation and trial was sufficient, resulting in their release. This decision reflects a common practice in Russian legal proceedings where pre-trial detention is often counted toward the total sentence.
In contrast, four other REvil members—Artem Zayets, Alexey Malozemov, Daniil Puzyrevsky, and Ruslan Khansvyarov—received sentences ranging from 4.5 to 6 years in prison after refusing to plead guilty to similar charges. Puzyrevsky and Khansvyarov were additionally convicted of distributing malware. These sentences were handed down as part of a separate legal proceeding.
The overall case against REvil members is notable for being one of the rare instances in which Russian authorities have prosecuted cybercriminals domestically, despite ongoing tensions with Western nations over cybercrime enforcement. The release of the four members after time served highlights both the complexities of international cybercrime prosecution and the unique aspects of the Russian judicial system.
REvil, also known as Sodinokibi or Sodin, was one of the most prolific and notorious ransomware-as-a-service (RaaS) operations, active from April 2019 until its official dismantling in January 2022. The group was primarily Russian-speaking and believed to be based in Russia, with its name inspired by the “Resident Evil” franchise.
REvil Structure and Modus Operandi
REvil operated as a business, developing ransomware and leasing it to affiliates who carried out attacks. The core group maintained the code, managed payment and leak sites, and took a percentage (20–30%) of the ransom proceeds, while affiliates executed the breaches and infections. The group exploited zero-day vulnerabilities, breached Remote Desktop Protocol (RDP) servers, and used phishing emails to infiltrate organizations. Once inside, they encrypted files and exfiltrated sensitive data, threatening to leak or auction it unless a ransom was paid—a tactic known as double extortion.
They typically targeted high-profile organizations globally, including JBS (the world’s largest meat processor), Kaseya (IT management software provider), Colonial Pipeline, and the law firm Grubman Shire Meiselas & Sacks.
REvil is widely believed to be the successor to the GandCrab ransomware group, which shut down in mid-2019. Much of REvil’s code and tactics trace back to GandCrab, and several operators reportedly transitioned directly from GandCrab to REvil.
Law Enforcement Actions and Downfall of REvil
The July 2021 Kaseya attack, which affected over 1,500 businesses, prompted U.S. President Biden to pressure Russian President Putin to act against Russian-based cybercriminals. This led to a coordinated international law enforcement response. In January 2022, Russia’s FSB raided 25 locations, arresting 14 individuals linked to REvil and seizing over $5.6 million in cash and cryptocurrency, as well as luxury vehicles. The U.S. and other countries also arrested and prosecuted affiliates, including Ukrainian national Yaroslav Vasinskyi, who was sentenced to 13 years in prison for his role in the Kaseya attack.
Despite the arrests, some REvil infrastructure briefly resurfaced, leading to speculation about whether original members or copycats were behind renewed activity. However, the group’s core operations and reputation were irreparably damaged by law enforcement actions.
