Four members of the REvil ransomware group, arrested in January 2022, have been released by Russian authorities after serving time for carding and malware distribution charges. The individuals—identified as Bessonov, Golovachuk, Muromsky, and Korotayev—pleaded guilty and were sentenced under Russian law, though their release highlights the complexities of international cybercrime enforcement1. This development follows earlier convictions of other REvil affiliates, including Yaroslav Vasinskyi, who received a 13.5-year sentence in the U.S. for orchestrating attacks like the Kaseya breach2.
Legal Proceedings and Sentencing Disparities
The four released members were part of a larger group of 14 individuals arrested in 2022 after U.S. intelligence tipped off Russian authorities. While some, like Daniil Puzyrevsky, received sentences of up to six years for malware distribution, others faced lighter penalties for financial crimes3. The disparity in sentencing reflects differing priorities between Russian and U.S. law enforcement, with the latter focusing on ransomware operations and the former on domestic financial crimes. Notably, Yevgeniy Polyanin, another REvil affiliate indicted in the U.S., remains at large in Russia despite a $6.1 million cryptocurrency seizure by the DOJ4.
REvil’s Global Impact and High-Profile Attacks
REvil, also known as Sodinokibi, was responsible for some of the most damaging ransomware attacks between 2020 and 2021. The group’s operations included the Kaseya supply chain attack, which affected over 1,500 businesses with a $70 million ransom demand, and the JBS Foods breach, which disrupted global meat supplies and resulted in an $11 million payout5. Other notable targets included Apple supplier Quanta Computer and Chile’s BancoEstado, the latter of which was forced to shut down branches after an employee opened a malicious document6.
Current Status and Geopolitical Context
The release of these four members coincides with a broader collapse in U.S.-Russia cybercrime cooperation following the 2022 invasion of Ukraine. While the FSB dismantled REvil’s core infrastructure in 2022, affiliates like Polyanin continue to operate with impunity in Russia7. Meanwhile, ransomware groups such as Qilin have adopted new tactics, including a “Call Lawyer” feature to pressure victims, demonstrating the evolving nature of the threat8.
Relevance to Security Professionals
The case underscores the challenges of prosecuting cybercriminals across jurisdictions. For defenders, it highlights the need for robust incident response plans and international collaboration. Key takeaways include the importance of monitoring financial transactions linked to ransomware payments and the value of threat intelligence sharing. Organizations should also prioritize patch management, particularly for vulnerabilities exploited by REvil, such as zero-days in managed service provider (MSP) tools.
Conclusion
The release of REvil members in Russia marks another chapter in the ongoing struggle against ransomware. While legal actions have disrupted some operations, the persistence of affiliates and the rise of new groups demonstrate that the threat remains significant. Security teams must remain vigilant, leveraging both technical controls and geopolitical awareness to mitigate risks.
References
- “Russian court sentences REvil members,” Kommersant, 2024.
- “DOJ sentencing of Yaroslav Vasinskyi,” U.S. Department of Justice, 2024.
- “Four REvil members sentenced in Russia,” The Record, 2024.
- “DOJ seizes $6.1M in REvil-linked crypto,” TechTarget, 2021.
- “REvil ransomware tactics,” CSO Online, 2021.
- “BancoEstado ransomware attack,” ZDNet, 2020.
- “REvil 2024 sentencing updates,” Security Affairs, 2024.
- “Qilin ransomware’s ‘Call Lawyer’ feature,” Security Affairs, 2025.
