By Ryan Gallagher and Jack Gillum
Law enforcement agencies have arrested five people allegedly associated with the prolific ransomware group REvil, which was accused of being behind this year’s devastating cyberattacks on Kaseya Ltd and JBS SA.
Romanian authorities arrested two alleged affiliates of the group on Nov. 4, according to a statement released on Monday by European law enforcement agency Europol. A further three arrests of REvil suspects were made earlier this year, Europol said.
The alleged hackers are suspected of involvement in about 5,000 ransomware infections and received about half a million Euros ($579,000) in ransom payments. Many ransomware gangs offer their malware to others, called affiliates, who then send it out to infect victims, in what is known as ransomware-as-a-service.
In a related matter, a Ukrainian national was indicted in the U.S. on Monday for his involvement in 2,500 ransomware attacks that sought hundreds of millions of dollars in ransom payments, according to court documents unsealed Monday in Dallas.
Yaroslav Vasinskyi was charged with conspiracy to commit fraud and other computer crimes in connection with REvil ransomware attacks on several organizations, the indictment states. Prosecutors allege Vasinskyi “knowingly and willfully” conspired to intentionally damage computer systems across the country. It wasn’t immediately clear whether Vasinksyi was among the five people arrested.
“REvil,” short for “Ransomware-Evil,” is known as one of the world’s most prolific ransomware gangs. The group is accused of staging several attacks this year against major companies and organizations, including Brazilian meat supplier JBS and Miami-based technology company Kaseya. JBS paid an $11 million ransom, while Kaseya said it declined to pay the hackers.
In a ransomware attack, hackers encrypt a victim’s files and demand payment to unlock them. In many instances, the attacks also steal files from the victim and then threaten to release them publicly unless they are paid an additional fee.
REvil and other ransomware operators have faced increasing pressure from international law enforcement agencies in recent months, following a spate of attacks that have crippled the operations of some technology companies, food and fuel producers, and even hospitals and doctors surgeries.
President Joe Biden has made confronting ransomware a priority for his administration. Earlier this year, the White House enlisted more than 30 countries to join a “Counter-Ransomware Initiative,” with stated aims including improving cybersecurity and disrupting the ransomware economy, which includes the use of crytocurrency.
Europol said that law enforcement agencies had identified the alleged affiliates of REvil after seizing infrastructure used by the group and carrying out investigative methods such as wiretapping.
In addition to the REvil arrests, Europol said that law enforcement agencies this year apprehended two alleged affiliates of GandCrab, another prolific ransomware group.
The arrests revealed on Monday were made as part of an international investigation named GoldDust, which involved law enforcement agencies from 17 countries, including the U.S., U.K., France and Germany.
“This represents historic collective action between 17 countries to prosecute members of this cybercrime cartel,” said Tom Kellermann, who heads cybersecurity strategy for VMware Inc. “Operation GoldDust has had a meaningful impact in disrupting their activities. These groups are now forced to play defense.”
But he added: “Destructive cyberattacks will continue and will become more systemic. Collective action between like-minded countries must be enhanced, and forfeiture of digital currencies connected to cybercrime conspiracies must be expanded.”
REvil, also known as Sodinokibi, first came to prominence in 2019. The Russian-speaking group gained notoriety for its large ransom demands, aggressive tactics and high-profile targets. The gang maintained a page on the dark web page called “Happy Blog,” which it used to leak or auction documents that it stole from its victims’ computers.
According to IBM’s threat intelligence index, the group made at least $123 million in profits in 2020 and stole around 21.6 terabytes of data.
In July, REvil’s website vanished from the dark web. It reappeared again in September, but not for long. In October, the group shut down its website again after operations by U.S. Cyber Command and a foreign government hacked the gang’s servers and blocked its website, according to the Washington Post.