Romanian law enforcement officials have reported the arrest of two persons for their affiliation with the REvil ransomware gang, striking a severe blow to one of the most notorious ransomware operations.
According to Europol, the accused are suspected of orchestrating over 5,000 ransomware attacks. The arrests, which took place on November 4, are part of a larger investigation known as GoldDust, which has also led to three other REvil affiliates and two individuals linked to GandCrab being arrested in Kuwait and South Korea since February 2021.
This includes Yaroslav Vasinskyi, a 22-year-old Ukrainian citizen detained in early October in Poland. He is suspected of carrying out the catastrophic attack on Florida-based software firm Kaseya in July 2021, which impacted up to 1,500 downstream firms.
The United States is seeking Vasinskyi’s extradition. He was linked to about 3,000 attacks that extorted $13 million in ransom money. Out of those ransomware payments, law enforcers seized $6.1 million extorted by Polyanin.
One alleged hacker, Russian national Yevgeniy Polyanin, remains at large in Russia, according to officials.
“Vasinskyi’s arrest demonstrates how quickly we will act alongside our international partners to identify, locate and apprehend alleged cybercriminals, no matter where they are located,” US Attorney General Merrick Garland said at a news conference. “For the second time in five months, we announced the seizure of digital proceeds of ransomware deployed by a transnational criminal group. This will not be the last time.”
In total, seven suspects related to the REvil ransomware gang were arrested and accused of targeting around 7,000 victims and seeking more than €200 million in digital ransoms.
REvil (aka Sodinokibi) is the replacement of GandCrab ransomware, and it has been linked to several high-profile ransomware operations since its appearance in the threat environment in 2019. The criminal syndicate, which operates as a ransomware-as-a-service (RaaS), is known to rent its malware source code to affiliates, usually after validating their technical skills, which are then responsible for carrying out the cyberattacks against eligible victims.
The group’s dark web data leak portals went offline on July 14, only to resurface two months later in September after a two-month hiatus.
According to a Washington Post investigation, the criminal group’s operations were halted again last month when the US Cyber Command, in collaboration with a foreign government, infiltrated its Tor infrastructure, forcing its websites to be pulled offline.
Bitdefender, a Romanian cybersecurity business, has recently made a free universal decryptor accessible for REvil victims to restore their files and recover from cyberattacks that occurred before July 13, 2021.