Law enforcement authorities in Romania on November 4 arrested two individuals for their role played as affiliates of REvill ransomware.
The suspects have been linked to more than 5,000 ransomware attacks and extorted close to $600,000 from victims. The arrest is a part of a coordinated operation called GoldDust, which has resulted in arrest of three other REvil affiliates and two suspects connected to GandCrab in Kuwait and South Korea.
The arrest includes a 22-year-old Ukrainian national, Yaroslav Vasinskyi arrested in early October and accused of perpetrating the devastating attack on Florida-based software firm Kaseya in July 2021, affecting up to 1,500 downstream businesses. In all, the seven suspects linked to the two ransomware families are said to have targeted about 7,000 victims, while collectively demanding more than €200 million in digital ransoms.
REvil (aka Sodinokibi) is seen as the successor of GandCrab and has been linked to a number of high-profile ransomware attacks subsequent to its emergence in the threat landscape in 2019. The cybercrime syndicate is also know to have operated as a ransomware-as-a-service (RaaS), as it rents its malware source code to affiliates, typically after vetting their technical skills, who, in turn, are responsible for carrying out the attacks against appropriate victims.
REvil has gone through some tough times lately after the Kaseya ransomware attack as this was fulled by steps taken by governments around the world to tackle ransomware ecosystem. On July 14, the dark web data leak portals owned by the group went off the grid, only to make a reappearance in September after a two-month break.
The criminal group however shut down its operations again last month as a partnership of foreign governments inclusive of the U.S. Cyber Command compromised its Tor infrastructure forcing its website to be taken offline. Bitdefender has also made available a free universal decryptor that REvil victims can use to restore files and recover from attacks carried out prior to July 13, 2021.
The sweeping international law enforcement effort aimed identifying, wiretapping, and seizing the infrastructure used by the REvil ransomware cartel was undertaken by Australia, Belgium, Canada, France, Germany, the Netherlands, Luxembourg, Norway, Philippines, Poland, Romania, South Korea, Sweden, Switzerland, Kuwait, the U.K., and the U.S., along with support from Europol, Eurojust, and Interpol.