REvil Ransomware Gang Leader Identified
German investigators have identified a deep-pocketed, big-spending Russian billionaire whom they suspect of being a core member of the REvil ransomware gang. The billionaire is has been named as Nikolay K by German law enforcement agencies.
German police discovered Nikolay’s email address, which was also used to register to over 60 websites, along with his phone number that is associated with a Telegram account. This account was used for legitimate crypto-trading activities, but the investigation into some of the transactions revealed that some of them were associated to ransom payments.
Nikolay K claims to be a trader of crypto currencies in social networks. The man lives in Russia and enjoys a luxurious lifestyle. German police are said to be aware of the suspect's true identity and location, which is reportedly somewhere in southern Russia "in a house with a swimming pool" and with an expensive BMW parked outside.
According to the German media investigators, the State Criminal Police Office in Baden-Württemberg (LKA) are convinced that Nikolay K. is part of the core group that operate a ransomware-as-a-service operation. Furthermore, these investigators think that it was REvil who ran the Colonial Pipeline attack, rather than the ransomware group DarkSide who have been named as the perpetrators by US authorities.
The German Federal Office for Information Security (BSI) classifies REvil as “one of the most dangerous programs in the field,” according to Zeit Online. Its report cites multiple attacks carried out by the gang in Germany, including a 2019 attack against a Germany IT company that serves doctors’ offices and hospitals that forced several clinics offline and into emergency operations.
The LKA is now reportedly following the Bitcoin trail of that attack, during which the theater is thought to have paid a 15,000 euro ransom in crypto currency.
In order to track down of REvil’s leadership, reporters with Bayerischer Rundfunk and Zeit Online spent months tracing the suspect’s digital tracks through anonymous Telegram channels and crypto currency payments. They searched for the name he uses on social media, found an associated email address used to register multiple websites, and looked into Russia mobile phone numbers associated with the sites. One of the numbers led them a Telegram account on which a Bitcoin address was published, an address to which more than 400,000 euros have been paid in Bitcoin. “The reporters were able to establish that bitcoin was transferred on at least six occasions from accounts connected to criminal enterprises to an address that most likely belongs to Nikolay K,” according to the report.
If Nikolay K, is really part of the leadership of the REvil operation, he would be very unwise to step outside of Russia’s border without risking immediate arrest.
A Russian cyber criminal who collaborated with leading hacker groups, in an interview with Russian media said the latest changes in the balance of power on the Dark Net had made REvil scared of being exposed, he said. The "Russian hacker" did not rule out that members of the REvil group took a two-month "vacation" to ensure their safety. They were prompted to do this by the disappearance of one of the active supporters of the unification.
Reuters: Threatpost: The Register: Lenta: Oodaloop: InfosecToday:
AllTech News: Metacurity: Security Affairs:
You Might Also Read:
DarkSide May Not Stay Dark For Long: