The bizarre Russian trial of eight members of the REvil ransomware group is perhaps most noteworthy for the insight it offers into the gang that unleashed a scourge of high-profile attacks against U.S. targets in mid-2021, most notably Colonial Pipeline.
The REvil ransomware trial, at the Saint Petersburg Garrison Military Court, has already seen greatly reduced charges for the defendants. The main charge is “illegal circulation of payment means committed by an organized group,” a reference to alleged bank card theft, according to an Izvestia report.
Only two of the defendants – alleged REvil leader Daniil Puzyrevsky and Ruslan Khansvoyarov – have been charged with anything resembling a ransomware crime: “creation and distribution of malicious programs by a group of persons by prior conspiracy, causing large-scale damage or committed for selfish purposes,” Izvestia said.
But even with those limited charges, the defense is claiming a lack of evidence and victims, at least with the evidence that the court has allowed. The REvil case is being tried in military court because one of the defendants was in military service at the time of the alleged crimes.
Tesla Bribe Attempt, Ransom Payment – and a Lack of U.S. Help
The case has been interesting for the details it’s revealed about REvil operations, including an attempt to bribe a Tesla engineer for planting malicious software at the company.
Izvestia claims that lack of U.S. cooperation has hindered the case, nothing that “neither the Tesla episode nor the facts of hacking and blackmail of Colonial Pipeline and other American companies are included in the final indictment. The scale of the investigation, which began in 2021, fell victim to geopolitics. Since the beginning of the SVO [special military operation], the US Department of Justice has been ignoring the request of the Russian Prosecutor General’s Office for legal assistance in this criminal case.”
A lawyer for the defendants noted that U.S. help may not have been sought in the case of the bank card fraud charges.
REvil’s 2021 crime spree claimed Colonial Pipeline, Kaseya, meat supplier JBS and Quanta Computer among its victims – and led U.S. President Joe Biden to reach out to Russian President Vladimir Putin for help. The investigation that followed led to the arrest of Puzyrevsky and his co-defendants.
According to Izvestia, Puzyrevsky, together with the DarkSide ransomware actors, encrypted the data of the Colonial Pipeline company. “This is proven by a table found on his computer with transactions from his Bitcoin wallet, which included a transfer dated May 9, 2021 for 63.7 BTC” – a sum valued at $2.3 million that was 85% of the ransom paid by Colonial Pipeline, which the U.S. Justice Department subsequently seized.
Tesla Bribe Attempt Detailed in REvil Ransomware Trial
One of the more interesting revelations to come from the case involved an attempted bribe of a Tesla engineer that led to an arrest in the case.
Izvestia said that in the interrogations of witnesses in the case, Yegor Kryuchkov said that in the summer of 2020, Alexey Skorobogatov, who was close to the leaders of REvil, including Puzyrevsky, asked Kryuchkov if he had any friends working in large foreign companies. When Kryuchkov said he had an engineer friend at Tesla, “they offered him $500,000 to hack the company.”
Kryuchkov flew to the U.S. to meet with the engineer, who “had to be convinced to introduce a malicious program into the software used by his employer, or simply to open a letter sent to corporate mail with a Trojan virus.”
Kryuchkov met with the Tesla engineer, who wanted $1 million for his efforts. The engineer alerted U.S. law enforcement, and Kryuchkov was arrested by the FBI. Kryuchkov served 10 months, then was deported to Russia to became a witness in the REvil case. Skorobogatov is not a defendant in the current trial.
Even though REvil disbanded in 2021, members continued to play a major role in Russian cybercrime, joining BlackBasta and other groups.
In a LinkedIn post on the trial, RedSense Partner and AdvIntel co-founder Yelisey Bohuslavskiy wrote that that “many top REvil pentesters, after the government crackdown, volunteered to collaborate with Yevgeny Prigozhin’s business empire in 2022. After his failed coup, many were allegedly transferred to other government-affiliated services.”