Suspected REvil ransomware affiliates arrested in Romania
Seven REvil/GandCrab affiliates have been arrested since February 2021, Europol says
Romanian law enforcement authorities arrested two individuals last week suspected of carrying out cyber attacks using the Sodinokibi/REvil ransomware.
Both suspects are allegedly responsible for 5,000 ransomware infections, and thought to have received nearly €500,000 in ransom payments.
DIICOT (the Romanian Directorate for Investigating Organised Crime and Terrorism) and judicial police officers carried out four home searches within the municipality of Constanța on 4th November and seized several electronic devices, including laptops, mobile phones and storage media, from the site.
The same day, the Bucharest Tribunal ordered the pre-trial detention of the two defendants, for a period of 30 days.
The European law enforcement agency Europol said in a press release that the arrests were the results of "Operation GoldDust" that involved Europol, Eurojust and INTERPOL and 17 countries.
In addition to the two arrests made last week, five other suspected ransomware gang members have been arrested since February 2021: three REvil affiliates and two GandCrab affiliates.
In February, April and October 2021, South Korean authorities arrested three individuals alleged to be involved in the GandCrab and Sodinokibi/REvil ransomware families.
Last month, a Sodinokibi/REvil member - a Ukrainian national suspected of perpetrating the Kaseya attack - was arrested at the Polish border after an international arrest warrant was issued by the US.
On 4 November, another GandGrab suspect was arrested by Kuwaiti authorities.
All these seven ransomware affiliates are suspected to be responsible for nearly 7,000 infections and to have made a total of €200 million in ransom demands.
During the GoldDust operation, Europol facilitated the information exchange, supported the coordination of the operation, and provided operational analytical support, as well as malware, cryptocurrency and forensic analysis.
"During the action days, Europol deployed experts to each location and activated a Virtual Command Post to coordinate the activities on the ground," the agency said.
Operation GoldDust received support from the private cyber security firms including Bitdefender, McAfee and KPN. According to Europol, Bitdefender is also providing decryption tools to help ransomware victims recover their data, without having to pay the ransom.
REvil, also known as Sodinokibi or Sodin, has been one of the most notorious ransomware groups of 2020/21. It breaches companies networks using spam, exploits, exposed remote desktop services and hacked managed service providers (MSPs).
The gang primarily focuses on big firms and avoids targeting consumers.
In June, meat processing giant JBS said it paid $11 million to the REvil, which locked its systems at the end of May.
In July, REvil used a zero-day bug in Kaseya's VSA remote management tool to encrypt about 60 managed service providers and over 1,500 of their small- and medium-sized business customers in a massive supply chain strike.
A few days after attacking Kaseya, REvil disappeared from the internet - abandoning forums, disconnecting its servers, and shutting down its dark web presence. Expects suspected that the Russian government had forced the group to cease operations, to show the world that it was working with the US government.
In September, many of the dark-web servers belonging to the REvil resurfaced, sparking fears that the group was preparing for new attacks.
Last month, it emerged that REvil gang was itself hacked and taken offline in a coordinated operation that involved law enforcement agencies from multiple countries. Reuters reported that cyber experts working with the US intelligence agencies were able to breach REvil's computer network infrastructure and to seize control of at least some of their servers.
While it is too early to say if these arrests spell the end of REvil, or whether it will resurface under another name, law enforcement successes will certainly give it and other ransomware gangs pause for thought.