in

Ransomware: Suspected REvil ransomware affiliates arrested

Romanian authorities have arrested two individuals suspected of cyber-attacks using the Sodinokibi/REvil ransomware. They are allegedly responsible for 5,000 infections, accounting for €500,000 in ransom payments, according to European law enforcement agency Europol.

REvil has been one of the most notorious ransomware groups of 2021, responsible for hundreds of high-profile attacks around the world.

A further suspected GandGrab affiliate was arrested by Kuwaiti authorities on the same day.

In addition to these arrests, GoldDust, which is a 17-nation law enforcement operation, saw three additional arrests in February and April by authorities in South Korea against affiliates involved with REvil ransomware. Another affiliate, a Ukrainian national, was arrested at the Polish border in October following an international arrest warrant from the US. 

The Ukrainian suspect was arrested on suspicion of involvement in the Kaseya ransomware attack, which affected around 1,500 companies across the world. In total, the operation has resulted in seven arrests, and it’s the first time they’ve been disclosed publicly by law enforcement.

SEE: A winning strategy for cybersecurity (ZDNet special report)    

The operation involved police from countries around the world and international law enforcement agencies Europol, Eurojust, and Interpol. The arrests follow a joint operation which was able to intercept communications and seize infrastructure used during campaigns.

Operation GoldDust also received support from the cybersecurity industry from companies including Bitdefender, KPN, and McAfee. Researchers at Bitdefender provided technical insights throughout the investigation, along with decryption tools to help victims of ransomware attacks recover their files without having to pay the ransom.

Decryption tools for several versions of GandCrab and REvil ransomware are available for free via the No More Ransom project. According to Europol, the REvil decryption tools have helped more than 1,400 companies decrypt their networks following ransomware attacks, saving over €475 million ($550 million) from being paid to cyber criminals.

Europol supported the operation by providing analytical support, as well analysis into malware and cryptocurrency. The 17 countries participating in Operation GoldDust are Australia, Belgium, Canada, France, Germany, the Netherlands, Luxembourg, Norway, Philippines, Poland, Romania, South Korea, Sweden, Switzerland, Kuwait, the United Kingdom, and the United States.

“These arrests illustrate what can be achieved when the public and private sectors pool their resources to fight cybercrime. This operation was an around-the-clock global effort to hunt down those responsible for the most devastating ransomware attacks in recent history leaving no stone unturned,” Alexandru Catalin Cosoi, senior director of the investigation and forensics unit at Bitdefender which aided investigations, told ZDNet.

“The success of this operation is a wake-up call for cybercriminals. They should understand if they are caught in the crosshairs of an international effort to find them, they can’t hide,” he added.

The arrests are the latest in a string of operations by law enforcement targeting ransomware operations. Last month saw a Europol-led operation target 12 suspects in Ukraine and Switzerland believed to be behind LockerGoga, MegaCortex, Dharma, and other ransomware attacks. It was also recently reported that law enforcement from multiple countries helped take down key elements of REvil.

MORE ON CYBERSECURITY


Source: Information Technologies - zdnet.com

How to 3D print a child's arm

Investor group acquires McAfee for more than $14 billion