Authorities arrest REvil ransomware gang members – In The News

Authorities in the US and Europe have announced they have arrested three people in connection to the REvil ransomware operation, dealing a large blow to the most prolific cybercrime organisation on the Internet.

The REvil ransomware enterprise – also known as Sodinikobi – has been responsible for a number of high-profile ransomware attacks across the world. In May 2021 they attacked the world’s largest meat processor, resulting in an $11 million ransom being paid out.

And in July they went even bigger, targeting software company Kaseya in a supply-chain attack which resulted in up to 1,500 businesses being infected with ransomware in what is considered by many as the largest ransomware attack to date. REvil had initially demanded a staggering $70 million to release a universal decryptor tool for all affected organisations.

But this week, Romanian police, the US Department of Justice (DOJ) and Europol announced the arrest of three people heavily involved with the criminal network.


Sponsored Content. Continued below...




The arrests come in response to Europol’s dedicated operation named GoldDust set up specifically to investigate the REvil operation. The three arrests last week brings the total up to 7 arrests total since February 2021. However these most recent arrests could prove pivotal.

Is it the end for REvil?

It is always difficult to tell after arrests have been made whether the authorities managed to grab the main ringleaders, or mere associates or affiliates that were helping with more menial tasks in a large criminal enterprise. If it were a real business, have the authorities managed to pinch the board of directors, or have they just taken out a couple of receptionists and the printer guy?

This is made even more complicated considering ransomware like the one used by REvil is often “hired out” to affiliates, and it is the affiliates that are actually the cybercrooks behind specific attacks. It’s a business model known as RaaS, or Ransomware-as-a-Service. In which case if the authorities are targeting those responsible for the attacks (i.e. the affiliates) then they’re not necessarily targeting the key operators and developers behind the ransomware.

And the arrests made in Romania and Ukraine last week appear to have been REvil affiliates, not the developers of REvil.

But it’s still good news. The affiliates arrested by authorities are suspected of being behind thousands of infections and millions of dollars of ransomware payments, including the July 2021 Kaseya attack. And it’s likely going to serve as more than just a shot across the bow to the developers of REvil who may feel very much like the walls are closing in on their illegal operations.


Sponsored Content. Continued below...




And that feeling is only going to be exacerbated by the US Department of Justice announcing this week a bounty of $10 million for information leading to the identification of location of anyone holding a key position in the REvil/Sodinokibi ransomware operation.

It’s likely, at this stage, that the developers of REvil will scurry underground. At least for a while. That’s what they did after the Kaseya attack which no doubt ramped up the efforts by law enforcement to bring them to justice.

And since REvil are arguably the largest ransomware group on the Internet right now, having them go underground amid pressure from law enforcement, this could just turn out to be a pivotal moment in the war against ransomware.