REvil Ransomware Gang Leader Identified

German investigators have identified a deep-pocketed, big-spending Russian billionaire whom they suspect of being a core member of the REvil ransomware gang. The billionaire is has been named as  Nikolay K by German law enforcement agencies.

German police discovered Nikolay’s email address, which was also used to register to over 60 websites, along with his phone number that is associated with a Telegram account. This account was used for legitimate crypto-trading activities, but the investigation into some of the transactions revealed that some of them were associated to ransom payments.

Nikolay K claims to be a trader of crypto currencies in social networks. The man lives in Russia and enjoys  a luxurious lifestyle. German police are said to be aware of the suspect's true identity and location, which is reportedly somewhere in southern Russia "in a house with a swimming pool" and with an expensive BMW parked outside.

According to the German media investigators, the State Criminal Police Office in Baden-Württemberg (LKA) are convinced that Nikolay K. is part of the core group that operate a ransomware-as-a-service operation. Furthermore, these investigators think that it was REvil who ran the Colonial Pipeline attack, rather than the ransomware group DarkSide who have been named as the perpetrators by US authorities. 

The German Federal Office for Information Security (BSI) classifies REvil as “one of the most dangerous programs in the field,” according to Zeit Online. Its report cites multiple attacks carried out by the gang in Germany, including a 2019 attack against a Germany IT company that serves doctors’ offices and hospitals that forced several clinics offline and into emergency operations.

The LKA is now reportedly following the Bitcoin trail of that attack, during which the theater is thought to have paid a 15,000 euro ransom in crypto currency. 

In order to track down of REvil’s leadership, reporters with Bayerischer Rundfunk and Zeit Online spent months tracing the suspect’s digital tracks through anonymous Telegram channels and crypto currency payments. They searched for the name he uses on social media, found an associated email address used to register multiple websites, and looked into Russia mobile phone numbers associated with the sites. One of the numbers led them a Telegram account on which a Bitcoin address was published, an address to which more than 400,000 euros have been paid in Bitcoin. “The reporters were able to establish that bitcoin was transferred on at least six occasions from accounts connected to criminal enterprises to an address that most likely belongs to Nikolay K,” according to the report.

If Nikolay K, is really part of the leadership of the REvil operation, he would be very unwise to step outside of Russia’s border without risking immediate arrest.

A Russian cyber criminal who collaborated with leading hacker groups, in an interview with Russian media said the latest changes in the balance of power on the Dark Net had made REvil scared of being exposed, he said. The "Russian hacker" did not rule out that members of the REvil group took a two-month "vacation" to ensure their safety. They were prompted to do this by the disappearance of one of the active supporters of the unification.

Reuters:     Threatpost:     The Register:     Lenta:     Oodaloop:     InfosecToday:   

AllTech News:    Metacurity:    Security Affairs:  

You Might Also Read:

DarkSide May Not Stay Dark For Long:

 

« New US National Cyber Director
UAE Central Bank's New Cyber Security Centre »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Cyberis

Cyberis

Cyberis are pioneers in customer-focussed information security. Since 2011, we’ve been helping businesses protect their brands, customers and reputation.

Allgress

Allgress

Allgress solutions converge disparate risk silos across enterprise networks and automate governance, risk and compliance management processes.

tietoevry

tietoevry

Tietoevry creates digital advantage for businesses and society. We are a leading digital services and software company with local presence and global capabilities.

IDnext

IDnext

IDnext is the open and independent platform to support innovative approaches in the world of the Digital identity.

Wireless Logic

Wireless Logic

Wireless Logic delivers a range of secure and resilient value-added M2M/IoT managed services that empower remote devices to communicate cost-effectively, two ways.

LiveVault

LiveVault

LiveVault delivers fully automated, turnkey, backup over the Internet or a private network connection for uninterrupted remote data protection.

Bird & Bird

Bird & Bird

Bird & Bird is an international law firm with a focus on helping organisations being changed by technology and the digital world. Areas of expertise include cyber security.

Safetica

Safetica

Safetica Technologies is a Czech software company that delivers data protection solutions for businesses of all types and sizes.

Privafy

Privafy

Privafy helps mobile service providers, IoT manufactures , and enterprises redefine the way they protect Data-in-Motion.

boxxe

boxxe

boxxe create flexible IT infrastructures, collaborative global workspaces and data clarity, all underpinned by world-leading security.

FREE eBook: Practical Guide To Optimizing Your Cloud Deployments

FREE eBook: Practical Guide To Optimizing Your Cloud Deployments

AWS Marketplace eBook: Optimizing your cloud deployments to accelerate cloud activities, reduce costs, and improve customer experience.

Twingate

Twingate

Twingate help organizations secure and manage access to their technology resources in a world where people work from anywhere.

CoreStack

CoreStack

CoreStack helps enterprises overcome cloud challenges such as ever growing security risks, stringent regulatory compliance needs and operational complexities.

CommandK

CommandK

CommandK provides companies with infrastructure to protect their sensitive data. Built-in solutions to prevent data-leaks and simplify governance.

National Renewable Energy Laboratory (NREL) - USA

National Renewable Energy Laboratory (NREL) - USA

NREL is transforming energy through research, development, commercialization, and deployment of renewable energy and energy efficiency technologies.

QualySec

QualySec

QualySec is a leading cybersecurity firm specializing in comprehensive penetration testing and risk assessment services.