REvil ransomware gang members arrested in international operation

International law enforcement agencies have arrested a number of individuals linked to the REvil ransomware gang and recovered millions in ransom payments.

The latest landmark development in the years-long coordinated effort against ransomware operators saw two arrests made by Romanian authorities on 4 November and a further arrest made in late October by the US Department of Justice (DoJ).

The arrests were announced by Europol and the DoJ on Monday. Interpol, Eurojust, and 17 other countries including the UK were also involved in the internationally coordinated effort known as operation GoldDust.

The two individuals arrested in Romania are both believed to be members of the REvil ransomware gang and responsible for 5,000 ransomware infections which pocketed them around €500,000 (£426,000).

REvil, also known as Sodnokobi, is the group that is believed to have spun off from GandCrab.

A total of seven suspects linked to the REvil and GandCrab gangs have been arrested since February 2021. In addition to the two most recent arrests in Romania, one arrest was made in Europe in October (believed to be the arrest made by the DoJ), three were made in South Korea during three separate stings, and an additional arrest was made in Kuwait on 4 November.

Authorities believe the seven arrested suspects were responsible for 7,000 individual ransomware attacks.

The DoJ's arrest of 22-year-old Ukrainian national Yaroslav Vasinskyi in Poland was also announced on Monday. Believed to be a member of REvil, he is charged with deploying ransomware on a number of US companies, including having a role in the attack on Kaseya in July, and faces a maximum jail sentence of 115 years in the US after he is extradited.

28-year-old Yevgeniy Polyanin, a Russian national, was also indicted by the DoJ for his alleged links to the REvil group and had funds of $6.1 million (£4.5 million) seized after being traceable back to ransomware victims.

According to his indictment, Polyanin faces a maximum of 145 years in jail but is unlikely to face extradition; Russia is famously un-cooperative when surrendering its people to US authorities.

“The arrest of Yaroslav Vasinskyi, the charges against Yevgeniy Polyanin and seizure of $6.1 million of his assets, and the arrests of two other Sodinokibi/REvil actors in Romania are the culmination of close collaboration with our international, U.S. government, and especially our private sector partners,” said FBI Director Christopher Wray. “The FBI has worked creatively and relentlessly to counter the criminal hackers behind Sodinokibi/REvil. Ransomware groups like them pose a serious, unacceptable threat to our safety and our economic well-being.

"We will continue to broadly target their actors and facilitators, their infrastructure, and their money, wherever in the world those might be.” he added.

Operation GoldDust builds upon the Europol-supported, Romanian-led investigation into the GandCrab ransomware family dating back to 2018. The UK and US also supported the work which led to the release of three decryption tools, made available to victims via the No More Ransom Project website, which is believed to have saved attacks on 49,000 businesses and prevented €60 million (£51 million) in ransom payments.

Private sector support has also proven invaluable, according to Europol, with cyber security firms such as Bitdefender, Avast, McAffee and KPN all providing technical support to the investigation and decryption tools for No More Ransom.

No More Ransom currently has decryption tools for three versions of GandCrab and for REvil, the latter which has helped 1,400 companies decrypt their networks, saving them almost €475 million (£405 million) in potential losses. The tools made available for both ransomware families have enabled more than 50,000 decryptions, for which cybercriminals had demanded close to €520 million (£443 million) in ransom.

REvil is the prolific ransomware gang behind a spate of high-profile cyber attacks against big businesses over the past few years.

Notable cases include the massive attack on Kaseya and its VSA software which impacted more than 1,500 organisations. A month earlier, it also claimed the attack which halted global meat supplier JBS Foods for a number of days and the hugely disruptive attack on Colonial Pipeline earlier this year.

Following the Kaseya attack, REvil briefly appeared to close it operation before re-appearing in September, putting its 'Happy Blog' back online - a place where the gang names the organisations it attacked but refused to pay the ransom.

In October, it was revealed by Reuters that a multi-country operation led to the hacking of REvil, forcing it offline.

The concerted effort to bring down the gang's website and arrest its affiliates has led some to believe this may be the end for the gang, although it's unlikely to spell the end for ransomware as a business.

"The removal of one criminal gang usually just opens up a niche into which other criminal operators can move – and we don’t expect to see any significant long-term downward trend in ransomware attacks," said Alan Calder, CEO at GRC International Group to IT Pro. "The reality remains that these are very easy attacks to mount - organisational defences are spectacularly lax, and the rewards are lucrative."