Russia’s operation to dismantle the REvil ransomware gang is unlikely to be a start of a broader crackdown on Russian cybercriminals, but will send a message that high-profile disruptive attacks that risk direct U.S. retaliation against Russia are off-limits. This makes it more likely that some groups will prioritize targeting less strategic (but still lucrative) U.S. organizations. Russia’s Federal Security Service (FSB) said in a Jan. 14 press release that it conducted an operation to dismantle and arrest suspected members of REvil at the request of the United States, and that the ransomware gang now ceases to exist. The timing of the FSB’s announcement — and the emphasis it places on being at the request of the United States – appears designed to showcase that Russia is a cooperative and responsible state actor amid increasing Western accusations of Russian aggression in Ukraine.

The FSB said it seized 20 premium cars, computer equipment and 426 million rubles ($5.5 million), 500,000 euros ($572,000) and $600,000 in cash from 25 different addresses of 14 suspected members of the group. The service said that the members were charged under Russian crimes for “illegal circulation of means of payment.” The names of the members have not been publicly released.

REvil was behind the May 2021 ransomware attack against meat processing firm JBS, which briefly stopped many of the company’s U.S. processing plants. The group was also behind the July 2021 ransomware attack against IT service firm Kaseya that affected thousands of the firm’s customers across the globe. Following a multilateral law enforcement operation targeting its servers led by United States Cyber Command, REvil announced in October 2021 it was shutting down.

In an indictment unsealed in November 2021, the U.S. Justice Department charged Russian national Yevgeniy Polyanin with various crimes in connection to REvil attacks on multiple organizations in Texas, although he was believed to be in Russia. It is not clear if the FSB targeted Polyanin in its operation against REvil.

Although the date of the arrests is unknown, the timing of the FSB’s announcement coincides with a breakdown in Russia’s negotiations with the United States and NATO over Ukraine, which suggests that Moscow is trying to use the arrests to show it’s playing a positive role internationally in the hopes of convincing the West to not follow through with sanctions. In the week preceding the announcement, two rounds of negotiations involving the United States and Russia, a bilateral dialogue on Jan. 10 and a NATO-Russia meeting on Jan. 12 failed to make headway with Russian officials, who described the talks as hitting a “dead end.” Western officials have accused Russia of continuing to build up its forces along the Russian-Ukrainian border. Moscow, on the other hand, has said that it is the “guarantor of peace” in the region and that keeping NATO enlargement on the table only further encroaches upon Russia. Even if unlikely to affect Washington’s position on Ukraine, the REvil dismantlement demonstrates that Moscow is dangling the prospect of tighter cybersecurity cooperation with the United States. In doing so, Russia is hoping Washington will grant additional concessions regarding its demands for “security guarantees,” or at the least think twice before pressing forward with sanctions on Russia by showcasing the type of cooperation the United States could risk losing as a result.

According to U.S. officials speaking to CNN on Jan. 14, Russia has operatives in Ukraine trained in explosives and urban warfare who could carry out a ‘false-flag' operation as a pretext for a Russian invasion. One U.S. official cited in the report compared the situation with the 2014 pretext of annexing and intervening in Crimea, saying that "the Russian military plans to begin these activities several weeks before a military invasion, which could begin between mid-January and mid-February."

Russia is also likely trying to use the arrests to signal to other groups to keep their activities within an acceptable range so as to not provoke a U.S. response, which could further shift ransomware groups’ target selection toward less strategic targets. High-profile ransomware attacks that REvil carried out in 2020, as well as the Colonial Pipeline attack conducted by fellow Russian ransomware gang Darkside, significantly impacted U.S. critical infrastructure. U.S. Federal Energy Regulatory Commission Commissioner Mark Christie said the Colonial Pipeline attack would be considered an “act of war” if it was carried out by a nation-state, and an “act of terror” if it was conducted by a non-state actor. Attacks carried out by cybercriminals that the United States defines in those terms risk undermining the Kremlin’s own national security by provoking a potentially proportional response from Washington. By arresting suspected REvil members, Russia is telling other ransomware gangs that they are not out of the Kremlin’s reach and that authorities will arrest members of a specific group if their activities attract too much U.S. and global media attention. This will likely lead to many Russian cybercriminals becoming more modest in their goals and targeting less important targets (like hospitals, defense contractors and local government offices) that may not have as systemic of an impact to a large geographic portion of the United States, even if they are still technically defined as critical infrastructure.

The arrests also come as the United States is boosting its own cybersecurity defensive measures and (as shown by the October U.S. operation against REvil’s servers) offensive measures, reinforcing the shifting calculus of cybercriminals in their target selection.

The attack on Colonial Pipeline led to a shutdown of the southeastern United States’ most important pipeline, causing gasoline shortages across the region.