FBI seized Bitcoins worth $2.3 million from REvil affiliate

The cash comes from ransomware payouts to mitigate REvil attacks

A newly unsealed court filing shows that the USA's FBI seized 39.9 Bitcoins - worth approximately $2.3 million (about £1.7 million) - from an alleged affiliate of the REvil ransomware gang back in August.

The federal agency said the seized cryptocurrency was derived from payments to the REvil group to mitigate the effects of ransomware attacks in the United States and elsewhere between April 2019 and June 2021.

Acting US Attorney Chad E. Meacham filed the complaint for forfeiture in the US District Court for the Northern District of Texas.

The court documents point to a Russian citizen known as Aleksandr Sikerin as a potential claimant. They allege he was affiliated with REvil and was responsible for attacks that generated about $200 million (£150 million) in payments from ransomware victims during the period. The cryptocurrency wallet that is now under the FBI's control is 'traceable to ransomware attacks committed by Sikerin'.

Sikerin, whose last-known address placed him in the Russian city of Saint Petersburg, has been charged with multiple counts of conspiracy and money laundering.

Law enforcement officials believe Sikerin is just an affiliate in the vast network of REvil gang.

Ransomware gang affiliates are responsible for frontline hacking work and stealing the data from victims' machines. They usually earn 70 - 80 per cent of the ransom.

REvil, also known as Sodinokibi or Sodin, has been one of the most notorious ransomware groups of 2020/21. It breaches company networks using spam, exploits, exposed remote desktop services and hacked managed service providers (MSPs).

In June, meat processing giant JBS said it paid $11 million (about £8.2 million) to REvil, which locked its systems at the end of May. In July, REvil used a zero-day bug in Kaseya's VSA remote management tool to encrypt data at about 60 managed service providers and over 1,500 of their small- and medium-sized business customers, in a massive supply chain strike.

A few days after attacking Kaseya, REvil disappeared from the internet - abandoning forums, disconnecting its servers, and shutting down its dark web presence. Experts suspected that the Russian government had forced the group to cease operations, to show the world that it was working with the US government. It later emerged that REvil gang was itself hacked and taken offline in a coordinated operation that involved law enforcement agencies from multiple countries.

US President Biden met Russia's President Putin in June to discuss the ongoing cyber attacks against the West, which all seem to originate from Russia. Biden said he expects Russia to act against any such groups operating within its borders.

"I made it very clear to him that the United States expects when a ransomware operation is coming from his soil, even though it's not sponsored by the state, we expect them to act if we give them enough information to act on who that is."

Biden also said recently that the US government is committed to strengthening cybersecurity "by disrupting ransomware networks, working to establish and promote clear rules of the road for all nations in cyberspace" and holding accountable those "that threaten our security".