REvil Ransomware Gang Leader Identified

Uploaded on 2021-11-08 in TECHNOLOGY--Hackers, GOVERNMENT-Law Enforcement, FREE TO VIEW

German investigators have identified a deep-pocketed, big-spending Russian billionaire whom they suspect of being a core member of the REvil ransomware gang. The billionaire is has been named as  Nikolay K by German law enforcement agencies.

German police discovered Nikolay’s email address, which was also used to register to over 60 websites, along with his phone number that is associated with a Telegram account. This account was used for legitimate crypto-trading activities, but the investigation into some of the transactions revealed that some of them were associated to ransom payments.

Nikolay K claims to be a trader of crypto currencies in social networks. The man lives in Russia and enjoys  a luxurious lifestyle. German police are said to be aware of the suspect's true identity and location, which is reportedly somewhere in southern Russia "in a house with a swimming pool" and with an expensive BMW parked outside.

According to the German media investigators, the State Criminal Police Office in Baden-Württemberg (LKA) are convinced that Nikolay K. is part of the core group that operate a ransomware-as-a-service operation. Furthermore, these investigators think that it was REvil who ran the Colonial Pipeline attack, rather than the ransomware group DarkSide who have been named as the perpetrators by US authorities. 

The German Federal Office for Information Security (BSI) classifies REvil as “one of the most dangerous programs in the field,” according to Zeit Online. Its report cites multiple attacks carried out by the gang in Germany, including a 2019 attack against a Germany IT company that serves doctors’ offices and hospitals that forced several clinics offline and into emergency operations.

The LKA is now reportedly following the Bitcoin trail of that attack, during which the theater is thought to have paid a 15,000 euro ransom in crypto currency. 

In order to track down of REvil’s leadership, reporters with Bayerischer Rundfunk and Zeit Online spent months tracing the suspect’s digital tracks through anonymous Telegram channels and crypto currency payments. They searched for the name he uses on social media, found an associated email address used to register multiple websites, and looked into Russia mobile phone numbers associated with the sites. One of the numbers led them a Telegram account on which a Bitcoin address was published, an address to which more than 400,000 euros have been paid in Bitcoin. “The reporters were able to establish that bitcoin was transferred on at least six occasions from accounts connected to criminal enterprises to an address that most likely belongs to Nikolay K,” according to the report.

If Nikolay K, is really part of the leadership of the REvil operation, he would be very unwise to step outside of Russia’s border without risking immediate arrest.

A Russian cyber criminal who collaborated with leading hacker groups, in an interview with Russian media said the latest changes in the balance of power on the Dark Net had made REvil scared of being exposed, he said. The "Russian hacker" did not rule out that members of the REvil group took a two-month "vacation" to ensure their safety. They were prompted to do this by the disappearance of one of the active supporters of the unification.

Reuters:     Threatpost:     The Register:     Lenta:     Oodaloop:     InfosecToday:   

AllTech News:    Metacurity:    Security Affairs:  

You Might Also Read:

DarkSide May Not Stay Dark For Long:

 

« New US National Cyber Director
UAE Central Bank's New Cyber Security Centre »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Information Commissioner's Office (ICO)

Information Commissioner's Office (ICO)

The Information Commissioner's Office is an independent authority set up to uphold information rights in the public interest.

Australian Information Security Association (AISA)

Australian Information Security Association (AISA)

AISA champions the development of a robust information security sector by building professional capacity and advancing the cyber security of the public, business and governments in Australia.

Exprivia

Exprivia

Exprivia is active in the design, development and integration of IT systems including cyber security.

Prevalent

Prevalent

Prevalent takes the pain out of third-party risk management. Companies use our services to eliminate the security and compliance exposures that come from working with vendors and suppliers.

u-blox

u-blox

u-blox deliver leading wireless technology to reliably and securely locate and connect people and devices.

Hacken

Hacken

Hacken provide a range of cybersecurity services including security assessments, blockchain security audits, and secure software development.

NetBlocks

NetBlocks

NetBlocks is a global internet monitor working at the intersection of digital rights, cyber-security and internet governance.

Nemstar

Nemstar

Nemstar is a specialist in Information Security & Cyber Training with over 25 years' industry experience.

Istari

Istari

ISTARI is a new kind of cyber risk management company. We’re an agile collective of best-in-class capabilities and experts, who build ongoing partnerships with clients.

Responsive Technology Partners

Responsive Technology Partners

Responsive Technology Partners provides superior IT support services including cybersecurity and compliance, telephony, cloud services, cabling, access control, and camera systems.

NetApp

NetApp

The NetApp portfolio includes intelligent cloud services, data services, and storage infrastructure that helps organizations manage applications and data everywhere across hybrid cloud environments.

PointWire

PointWire

PointWire offers a range of cybersecurity solutions and services including Penetration Testing on various levels, as well as Intrusion Detection and Prevention Systems.

Rhymetec

Rhymetec

Rhymetec are an industry leader in cloud security, providing innovative cybersecurity and data privacy services to the modern-day SaaS business.

PeoplActive

PeoplActive

PeoplActive is an IT consulting and recruitment services organization with leading capabilities in digital, cloud and security.

SafeLiShare

SafeLiShare

SafeLiShare’s data security platform unifies encryption strategies for organizations with hybrid and multi-cloud infrastructures, ensuring data is secure regardless of its location.

Cybersecurity Elastic Laboratory (CEL)

Cybersecurity Elastic Laboratory (CEL)

CEL specialize in providing top-tier services in vulnerability diagnosis and penetration testing, offering a comprehensive suite of solutions to mitigate cyber risks.