May 17, 2022


Born to play

REvil ransomware affiliates arrested in international takedown

Two suspected REvil ransomware affiliates ended up arrested by Romanian authorities final Thursday as element of an international legislation enforcement procedure, Europol announced Monday.

The arrests ended up created as element of “Operation GoldDust,” a REvil ransomware takedown campaign carried out by Europol, Eurojust, Interpol and seventeen nations around the world throughout a number of continents. Europol explained in its push release that in addition to the two Nov. four arrests, five other suspected affiliates have been arrested due to the fact February: three REvil affiliates and two GandCrab affiliates.

The two suspects ended up allegedly accountable for five,000 ransomware infections and received about 50 % a million euros in ransom payments. 

“All these arrests comply with the joint international legislation enforcement endeavours of identification, wiretapping and seizure of some of the infrastructure applied by Sodinokibi/REvil ransomware spouse and children, which is found as the successor of GandCrab,” the push release study.

Europol explained Operation GoldDust was created from qualified prospects learned in a previous investigation that specific the GandCrab ransomware procedure. Adam Meyer, vice president of intelligence at CrowdStrike, in depth various connections among GandCrab and REvil in a July website submit.

Europol unveiled couple specifics concerning the Nov. four arrests by Romanian authorities, but the push release gave a little extra detail on the other five arrests created as element of GoldDust. In February, April and Oct, a overall of three GandCrab and REvil affiliates ended up arrested in South Korea. In Oct, another REvil affiliate was arrested in Europe, nevertheless no other specifics ended up delivered. Last of all, also on Nov. four, Kuwaiti authorities arrested a GandCrab affiliate.

The seven suspects arrested due to the fact February are suspected to have been accountable for a overall of 7,000 ransomware infections, and to have created a overall of two hundred million euros in ransom needs, nevertheless how considerably victims essentially paid out is mysterious.

The Europol submit also referenced No Far more Ransom, a collaboration among private-sector safety companies and the agency to supply decryption tools for ransomware victims. As element of Operation GoldDust, GandCrab and REvil decryption tools ended up unveiled this calendar year in partnership with Bitdefender.

In an electronic mail to SearchSecurity, a Europol spokesperson explained Operation GoldDust “lasted somewhat very long” and that “the decryptors ended up created accessible throughout this period. Bitdefender supported this investigation by furnishing also decryption tools for Sodinokibi/REvil and GandCrab ransomware families.”

The decryptors have had a big influence on ransomware victims, according to Europol.

“The Sodinokibi/REvil decryption tools aided extra than 1400 companies decrypt their networks, conserving them practically €475 million in likely losses,” the push release explained. “The tools created accessible for both of those ransomware families enabled extra than 50,000 decryptions, for which cybercriminals had asked about €520 million in ransom.”

Alexander Culafi is a writer, journalist and podcaster primarily based in Boston.