Ransomware: Suspected REvil ransomware affiliates arrested

Romanian authorities have arrested two individuals suspected of cyber-attacks using the Sodinokibi/REvil ransomware. They are allegedly responsible for 5,000 infections, accounting for €500,000 in ransom payments, according to European law enforcement agency Europol.

REvil has been one of the most notorious ransomware groups of 2021, responsible for hundreds of high-profile attacks around the world.

A further suspected GandGrab affiliate was arrested by Kuwaiti authorities on the same day.

In addition to these arrests, Operation GoldDust saw three additional arrests in February, April and 2021 by authorities in South Korea against affiliates involved with REvil ransomware. Another affiliate was arrested in Europe in October. In total, the operation has resulted in seven arrests and it’s the first time they’ve been disclosed publicly by law enforcement.

SEE: A winning strategy for cybersecurity (ZDNet special report)    

The operation involved police from countries around the world and international law enforcement agencies Europol, Eurojust and Interpol. The arrests follow a joint operation which was able to identify intercept communications and seize infrastructure used during campaigns.

Operation GoldDust also received support from the cybersecurity industry from companies including Bitdefender, KPN and McAfee. Researchers at Bitdefender provided technical insights throughout the investigation, along with decryption tools to help victims of ransomware attacks recover their files without having to pay the ransom.

Decryption tools for several versions of GandCrab and REvil ransomware are available for free via the No More Ransom project. According to Europol, the REvil decryption tools have helped more than 1,400 companies decrypt their networks following ransomware attacks, saving over €475 million ($550 million) from being paid to cyber criminals.

Europol supported the operation by providing analytical support, as well analysis into malware and cryptocurrency. The 17 countries participating in Operation GoldDust are Australia, Belgium, Canada, France, Germany, the Netherlands, Luxembourg, Norway, Philippines, Poland, Romania, South Korea, Sweden, Switzerland, Kuwait, the United Kingdom and the United States.

The arrests are the latest in a string of operations by law enforcement targeting ransomware operations. Last month saw a Europol-led operation target 12 suspects in Ukraine and Switzerland believed to be behind LockerGoga, MegaCortex, Dharma and other ransomware attacks. It was also recently reported that law enforcement from multiple countries helped take down key elements of REvil.

MORE ON CYBERSECURITY