The total number of arrests made concerning Sodinokibi/REvil and GandCrab ransomware is now seven.
Europol launched a multi-agency operation to catch REvil ransomware operators (Ransomware-Evil) based on their findings of an old ransomware strain, GrandCrab, which authorities believe is the predecessor of REvil.
Dubbed Operation GoldDust; around seventeen countries took part in the operation. These include the UK, the USA, France, Australia, and Germany. As a result, five hackers associated with REvil and involved in thousands of cyberattacks have gotten arrested since February 2021.
Europol announced that the suspects are mainly involved in the Sodinokibi/REvil and GandCrab ransomware activities. The total number of arrests made concerning Sodinokibi/REvil and GandCrab ransomware is now seven. The operation involved Europol, Eurojust, and Interpol.
About the Suspects
The suspects arrested under Operation GoldDust include two Romanian citizens arrested by Romanian authorities on 4 November. One suspect was arrested in early October from the Polish border after the US issued an international arrest warrant.
The fourth suspect is a Ukrainian national who allegedly perpetrated the Kaseya attack that impacted around 1500 downstream businesses and attackers demanded €70 million ransom. Kuwaiti authorities arrested a GrandCrab affiliate on 4 November.
Moreover, in February and April 2021, South Korean authorities arrested three associates of GandCrab and Sodinokibi/REvil ransomware. The suspects’ activities affected 7000 individuals globally and they allegedly raked in approx. 500 million euros ($577.70 million) from companies in exchange for restoring their IT infrastructure after hacking them.
“They are allegedly responsible for 5 000 infections, which in total pocketed half a million euros in ransom payments,” Europol’s press release read.
From @McAfee_ATR we are proud to helped with technical research, identifying key Infrastructure, Suspects & providing custom config extractors for REvil samples. @EC3Europol @PolitieTHTC @FBI @metpoliceuk Together with @BitdefenderLabs and @kpnsecurity https://t.co/LBFRisnSAk
— John Fokker (@John_Fokker) November 8, 2021
Sodinokibi/REvil Ransomware
REvil ransomware was first noticed in April 2019. Its code has stark similarities with another ransomware known as GandCrab. Cyber security researchers believe that both ransomware might be created by the same developer(s).
REvil has become one of the most threatening ransomware this year. It works in a RaaS (Ransomware-as-a-Service) model where the operators (REvil gang) offer the malware code and updates to their affiliates who distribute it and handle infections. After receiving the ransom, these affiliates share their profits with the operators.
Previous Coverage
Hackread has been following the REvil gang’s activities closely for a long time. In mid-October, Hackread reported that the REvil gang’s Tor payment portal and data leak blog was hijacked and forced offline by the law enforcement authorities in a multi-country operation.
Associates of Russian-speaking gang REvil came under the radar after launching a cyberattack on the Colonial Pipeline in May 2021 that caused widespread gas shortages across the US East Coast.
The group has targeted high-profile companies this year, including Acer, JBS, Kaseya, and Travelex. However, after getting hacked, the group went underground.
Last year, the REvil ransomware gang touched new levels of notoriety by attacking Honda, Brown-Forman, and law firm Grubman Shire Meiselas & Sacks, which represents public figures like Donald Trump, Madonna, and Robert De Niro.
