More Arrests In Ongoing Campaign Against REvil Hacking Gang

Two more arrested by police in Romania, as global crackdown against Russia’s Sodinokibi/REvil ransomware hackers continues

Two individuals have been arrested by Romanian police, who are suspected of cyberattacks that saw the deployment of the Sodinokibi/REvil ransomware.

“They are allegedly responsible for 5 000 infections, which in total pocketed half a million euros in ransom payments,” announced Europol. “Since February 2021, law enforcement authorities have arrested three other affiliates of Sodinokibi/REvil and two suspects connected to GandCrab.”

Indeed, the global police operation against the notorious hacking gang REvil kicked up a notch in the recent months, when the gang’s “Happy Blog” website, which it used to leak victims’ data for the purposes of extortion, as well as other portals, was taken offline.

Notable attacks

The Russia-based gang was responsible for a ransomware attack on Colonial Pipeline in May that led to widespread fuel shortages on the US East Coast.

The gang was also responsible for the July compromise of Florida-based software management company Kaseya that allowed it to hack hundreds of Kaseya customers around the world.

In April REvil hacked Apple assembler Quanta Computer and stole engineering schematics for unreleased products, including designs for the 2021 MacBook Pro, releasing them to the public after failing to blackmail Quanta or Apple for tens of millions of pounds.

The gang also disrupted the systems of meatpacker JBS and many other high-profile targets.

Following the attack on Kaseya, the FBI faced heavy criticism after it revealed that it had obtained a universal decryption key that could have aided those affected by the attack, but chose not to release it as it was preparing an operation against the gang.

Arrests, Funds seized

According to the US Justice Department, Yaroslav Vasinskyi, 22, a Ukrainian national, has been charged with conducting ransomware attacks against multiple victims, including the July 2021 attack against Kaseya.

On 8 October, Vasinskyi was taken into custody in Poland where he remains held by authorities pending his extradition to the United States.

The US Justice department also announced the seizure of $6.1 million in funds traceable to alleged ransom payments received by Yevgeniy Polyanin, 28, a Russian national, who is also charged with conducting Sodinokibi/REvil ransomware attacks against multiple victims, including businesses and government entities in Texas on or about 16 August 2019.

“Our message to ransomware criminals is clear: If you target victims here, we will target you,” said Deputy Attorney General Lisa O. Monaco. “The Sodinokibi/REvil ransomware group attacks companies and critical infrastructures around the world, and today’s announcements showed how we will fight back.

“In another success for the department’s recently launched Ransomware and Digital Extortion Task Force, criminals now know we will take away your profits, your ability to travel, and – ultimately – your freedom,” said Monaco. “Together with our partners at home and abroad, the Department will continue to dismantle ransomware groups and disrupt the cybercriminal ecosystem that allows ransomware to exist and to threaten all of us.”

“The arrest of Yaroslav Vasinskyi, the charges against Yevgeniy Polyanin and seizure of $6.1 million of his assets, and the arrests of two other Sodinokibi/REvil actors in Romania are the culmination of close collaboration with our international, US government and especially our private sector partners,” noted FBI Director Christopher Wray.

“The FBI has worked creatively and relentlessly to counter the criminal hackers behind Sodinokibi/REvil,” said Wray. “Ransomware groups like them pose a serious, unacceptable threat to our safety and our economic well-being. We will continue to broadly target their actors and facilitators, their infrastructure, and their money, wherever in the world those might be.”

Formidable gang

Security experts welcomed the news of the arrests of the formidable REvil ransomware gang, but warned that businesses need to continue to build up robust defences.

“Europol has announced that Romanian Law enforcement has arrested two more members of the formidable REvil ransomware gang,” said Camellia Chan, CEO and co-founder of Flexxon.

“Although a positive step in the fight against criminal cyber gangs, it is by no means the end,” said Chan. “It is imperative that businesses do not rest on their laurels despite this progress.”

“Efforts to improve cybersecurity and bolster defences should be more robust than ever,” she added. “New ransomware gangs are sure to emerge and as threats heighten, so too must a business’ defence strategy.”

Maintain the pressure

The arrests and seizures of assets was welcomed by another security expert, who said that police and law enforcement needs to maintain the pressure on the cybercriminal community..

“The tables are turning for ransomware groups as law enforcement organisations around the world are taking an increasingly strong stand against threat actors,” said Steve Forbes, government cyber security expert at Nominet.

“Most recently we’ve seen the REvil arrests in Europe and the US, and the seizing of millions of dollars from the suspect reportedly behind the Kaseya ransomware attack this summer,” said Forbes.

“The collective efforts by the US and over a dozen countries to pursue cyber criminals and take back their ill-gotten gains is not just a message for the ransomware groups themselves, but a signal to would-be cyber attackers everywhere that these attacks won’t be tolerated,” said Forbes. “When you consider that the FBI Director has told US lawmakers that they’re investigating more than 100 types of ransomware, there is likely more action to come.”

“Maintaining this type of pressure on global criminal operations will be essential to preventing them from reinventing themselves and returning in a new guise,” said Forbes. “Unfortunately, considering the funds and resources these entities now have available, the battle against ransomware is not yet over.”