Ransomware: Suspected REvil ransomware affiliates arrested

Suspected of about 7,000 infections, the arrested alleged affiliates asked for more than €200 million in ransom.

The ransomware threat is growing: What needs to happen to stop attacks getting worse?

Romanian authorities have arrested two individuals suspected of cyberattacks using the Sodinokibi/REvil ransomware. They are allegedly responsible for 5,000 infections, accounting for €500,000 in ransom payments, according to European law enforcement agency Europol.

REvil has been one of the most notorious ransomware groups of 2021, responsible for hundreds of high-profile attacks around the world.

A further suspected GandGrab affiliate was arrested by Kuwaiti authorities on the same day.

SEE: A winning strategy for cybersecurity (ZDNet special report)    

In addition to these arrests, GoldDust, which is a 17-nation law enforcement operation, saw three additional arrests in February and April by authorities in South Korea against affiliates involved with REvil ransomware. Another affiliate, a Ukrainian national, was arrested at the Polish border in October following an international arrest warrant from the US. 

The Ukrainian suspect was arrested on suspicion of involvement in the Kaseya ransomware attack, which affected around 1,500 companies across the world. In total, the operation has resulted in seven arrests, and it's the first time they've been disclosed publicly by law enforcement.

The operation involved police from countries around the world and international law enforcement agencies Europol, Eurojust, and Interpol. The arrests follow a joint operation that was able to intercept communications and seize infrastructure used during campaigns.

Operation GoldDust also received support from the cybersecurity industry from companies including Bitdefender, KPN, and McAfee. Researchers at Bitdefender provided technical insights throughout the investigation, along with decryption tools to help victims of ransomware attacks recover their files without having to pay the ransom.

Decryption tools for several versions of GandCrab and REvil ransomware are available for free via the No More Ransom project. According to Europol, the REvil decryption tools have helped more than 1,400 companies decrypt their networks following ransomware attacks, saving over €475 million ($550 million) from being paid to cyber criminals.

Europol supported the operation by providing analytical support, as well analysis into malware and cryptocurrency. The 17 countries participating in Operation GoldDust are Australia, Belgium, Canada, France, Germany, the Netherlands, Luxembourg, Norway, Philippines, Poland, Romania, South Korea, Sweden, Switzerland, Kuwait, the United Kingdom, and the United States.

SEE: The IoT is getting a lot bigger, but security is still getting left behind

"These arrests illustrate what can be achieved when the public and private sectors pool their resources to fight cybercrime. This operation was an around-the-clock global effort to hunt down those responsible for the most devastating ransomware attacks in recent history leaving no stone unturned," Alexandru Catalin Cosoi, senior director of the investigation and forensics unit at Bitdefender that aided investigations, told ZDNet.

"The success of this operation is a wake-up call for cyber criminals. They should understand if they are caught in the crosshairs of an international effort to find them, they can't hide," he added.

The arrests are the latest in a string of operations by law enforcement targeting ransomware operations. Last month saw a Europol-led operation target 12 suspects in Ukraine and Switzerland believed to be behind LockerGoga, MegaCortex, Dharma, and other ransomware attacks. It was also recently reported that law enforcement from multiple countries helped take down key elements of REvil.

MORE ON CYBERSECURITY