REvil associates arrested in international ransomware crackdown

In the wake of October’s multinational operation targeting the REvil (aka Sodinokibi) ransomware gang’s infrastructure, Romanian police have arrested two suspected REvil affiliates suspected of being behind as many as 5,000 cyber attacks netting €500,000 (£427,000/$580,000) in an ongoing international law enforcement operation targeting the notorious crime gang.

The arrests were made on Thursday 4 November in the city of Constanţa by Romania’s organised crime and counter terrorism unit, DIICOT, with assistance from local police and the national gendarmerie. DIICOT said it conducted searches of four homes in the Black Sea coast city, and seized smartphones, laptops and storage devices.

The action forms part of Operation GoldDust, a 17-country effort coordinated by the European Union’s (EU’s) Europol and Eurojust agencies, Interpol, and police forces from around the world, as well as cyber security firms Bitdefender, KPN and McAfee. Operation GoldDust has seen extensive inter-agency collaboration on identifying and tracking the suspects, and seizing the IT infrastructure used in their attacks.

The latest sting means that a total of seven suspects associated with REvil and its predecessor GandCrab have been taken into custody since February 2021, with three arrests made in South Korea, one in Kuwait, and another in Europe. Altogether, they are suspected of attacking around 7,000 victims.

The law enforcement operation’s roots lie in a Romanian-led investigation targeting REvil’s predecessor GandCrab, dating back to 2018 when it was one of the most prolific ransomwares around. After the operators of GandCrab “retired” in 2019, only to launch REvil a few months later, leads from this investigation helped form the basis of Operation GoldDust.

“REvil has managed to compromise thousands of businesses around the world and was known to extort much larger payments from victims than the average market price. Companies that did not pay and attempted to restore from backups were blackmailed with the publication of their stolen confidential information,” said Bogdan Botezatu, Bitdefender director of threat research and reporting.

“The Bitdefender Draco Team provided cyber security consulting and guidance especially in areas of cryptography, forensics, and investigations that helped the law enforcement consortium in this operation minimise the impact of successful ransomware attacks, and eventually led to arrests.

“This collaboration with law enforcement is a prime example of the public and private sector working together to significantly disrupt cyber criminal activities,” he added.

Working alongside law enforcement and other technical partners, Bitdefender also played a key role in developing free decryption tools for both GandCrab and REvil, which can be obtained from the No More Ransom website.

At the time of writing, the REvil decryption tool has helped more than 1,400 victims to decrypt their networks without having to pay off their attackers, saving an estimated €475m in potential losses, while the GandCrab decryption tools have enabled more than 45,000 decryptions, saving millions more.