Ransomware: cybercriminal gang REvil targeted by series of arrests in Europe

The noose of the authorities is tightening around REvil, a gang of cybercriminals behind one of the most virulent strains of ransomware.

The United States announced Monday, November 8, the arrest in Poland of a 22-year-old Ukrainian, Yaroslav Vasinsky. The American authorities accuse him in particular of being the“Affiliate” by REvil responsible for the attack on Kaseya in July. By attacking this American company specializing in digital services, the hacker (s) had succeeded in infecting a large number of its customers, an attack which had marked the spirits by its scale and its sophistication, where those by ransomware concern usually one business at a time.

Mr. Vasinsky was arrested on October 8 while traveling to Poland from Ukraine, said Merrick Garland, the US Attorney General, the equivalent of the Minister of Justice, at a press conference.

Ransomware is malicious software that cripples a computer system and demands a ransom to unlock it. “Affiliates” are an essential link in a ransomware attack: they are responsible for penetrating the ransomware developed by the gang into the computer network of the victims. The malware authors then usually take over to extort the victims. The extorted sums are then shared between the developers and their affiliate.

Two more arrests in Romania

A little earlier in the day, Europol had already announced the arrest in Romania of four other people suspected of being affiliates of REvil. Two of them were arrested Thursday, November 4 in the coastal city of Constanta and placed in pre-trial detention by the Romanian police, following a joint investigation between Germany, France and Romania, announced the latter. French investigators were present on the ground. These two people are suspected of having attacked 5,000 victims and extorted half a million dollars (approximately 430,000 euros).

Europol also said that two Gandcrab affiliates had been arrested, one of them by the Kuwaiti police. Gandcrab is a gang behind another very active strain of ransomware that claimed to have disbanded in May 2019 but which most experts believe are the same individuals as those responsible for REvil. Europol also announced that several suspected pirates had been arrested by South Korean authorities, without specifying whether they were suspected of having collaborated with Gandcrab or REvil. In total, this brings the number of cybercriminals who have participated in and apprehended in REvil and Gandcrab ransomware attacks to seven in recent months.

The American authorities also hit REvil on the wallet since they also announced that they had seized more than $ 6 million in cryptocurrencies extorted by an affiliate, whom they believe to be a 28-year-old Russian national, Yevgeny Polyanin. The latter is still at large, but he has been indicted by American justice. REvil affiliates are accused of extorting a total of more than $ 200 million. The Treasury Department also sanctioned Chatex, a cryptocurrency exchange, and three associated companies. US authorities accuse them of providing cybercriminals with the means to launder funds extorted from their victims.

The noose tightens around REvil

These arrests and seizures of funds are the fruit of considerable efforts in recent months by several countries, including the United States and France, to thwart the criminal ransomware industry, which has caused immeasurable damage around the world. REvil was the number one target: in the United States, the authorities were particularly scalded by two attacks by this group: in addition to Kaseya, the operation of the food company JBS had been severely disrupted by pirates in June.

Operations targeting this group have increased in recent months. Several German media recently revealed that investigators from across the Rhine had managed to identify one of the brains of REvil. This individual, whose identity is known to journalists but whose name has not been publicly revealed, is not one of the two suspected pirates whose indictment was revealed on Monday by the United States.

According to various media american, the Federal Police (FBI) and the US Army Cyber ​​Command succeeded, over the summer, in penetrating part of the infrastructure used by REvil, significantly disrupting the activity of hackers and allowing them to get valuable information. According to Washington post, U.S. law enforcement officials discovered that a foreign country had already successfully hacked REvil. It is possible that this foreign country is European. Indeed, Europol revealed the existence of GoldDust, an operation common to several states on the continent, which have been investigating REvil for two years and whose investigations have led, in particular, to the arrest of two Romanian nationals.