REvil: arrests made in relation to massive Kaseya ransomware attack

A coordinated law enforcement operation has led to the arrest of 7 hackers allegedly affiliated with the REvil group (also known as Sodinokibi), one of the most prolific cyber gangs in history. REvil, the successor of another notorious group GandCrab, is responsible for some of the biggest attacks on businesses and organizations in recent years, including the massive cyberattack on software company Kaseya.

 

 

Europol has announced that multiple arrests have been made in relation to the REvil cybergang. The most recent arrests of two hackers in Romania and one in Ukraine are part of a 17-country coordinated law enforcement operation, GoldDust, against REvil. Three other REvil affiliates and two suspects connected to GandCrab have been arrested earlier in the year. According to Europol, the two hackers arrested in Romania are allegedly responsible for 5000 infections, which allowed them to pocket approximately €500,000. So far 7 publicly disclosed arrests have been made in relation to REvil and GandCrab. In addition to these arrests, the US also revealed that they were able to retrieve more than $6 million in cryptocurrencies, likely ransom payments from victims.

“These are some of the results of operation GoldDust, which involved 17 countries*, Europol, Eurojust and INTERPOL. All these arrests follow the joint international law enforcement efforts of identification, wiretapping and seizure of some of the infrastructure used by Sodinokibi/REvil ransomware family, which is seen as the successor of GandCrab,” Europol said in a press release.

With support from Europol, Eurojust, and Interpol, countries participating in the operation GoldDust are Australia, Belgium, Canada, France, Germany, the Netherlands, Luxembourg, Norway, Philippines, Poland, Romania, South Korea, Sweden, Switzerland, Kuwait, the United Kingdom, the United States.

One of REvil’s “masterminds”, 22-year old Ukrainian Yaroslav Vasinskyi, was arrested in Poland last month and, according to US attorney general Merrick Garland, is now facing charges for the attack on Kaseya. A Russian hacker Yevgeniy Polyanin has also been indicted, though he is yet to be arrested. Vasinskyi is believed to have launched at least 2500 attacks since joining REvil in 2019 and made $2.3 million from ransoms. Polyanin is tied to at least 3000 ransom attacks.

The Treasury Department is also offering $10 million for any information about those in key leadership positions in the Sodinokibi/REvil cybercrime group. A further $5 million reward is also offered to those with information leading to the arrest or conviction of any individuals conspiring to participate in REvil ransomware activities.

REvil is considered to be one of the most notorious cybercrime gangs in history. It received extensive news coverage and interest from law enforcement after performing a massive cyberattack on software company Kaseya, which resulted in ransomware attacks against 1500 companies that indirectly use Kaseya’s software. On July 2 this year, REvil was able to carry out a supply chain ransomware attack by misusing a vulnerability in Kaseya’s Virtual System/Server Administrator (VSA). Around 60 managed service providers (MSPs) using the VSA were infected, which in turn infected around 1500 of the MSP customers, mostly small and medium-sized companies. The cybercrime gang demanded $70 million in ransom.

The Kaseya cyberattack received a significant amount of attention, perhaps much more than the group was anticipating. Almost two weeks after the attack, the group’s entire infrastructure disappeared from the Internet. The exact reason is not known, though it is speculated that political pressure forced Russia to shut down the group, as the hackers are believed to have been operating from Russia. A decryption key was provided to Kaseya by a “trusted source”, later revealed to be the FBI. A universal decryptor has since been published.