REvil Ransomware Gang Leaders Arrested in Poland

Uploaded on 2021-11-10 in TECHNOLOGY--Hackers, GOVERNMENT-Law Enforcement, FREE TO VIEW

A global police operation has dealt a serious blow to one of the most prolific cyber crime gangs currently operating. 

The coordinated action against the ransomware gangs was announced on Monday 8th November by Romanian police, the US Department of Justice (DoJ) and Europol. 

The suspects worked part of the REvil (Sodinokibi) and GandCrab Ransomware-as-a-Service (RaaS) operations. According to the DoJ, a 22 year old Ukrainian national, Yaroslav Vasinskyi is facing extradition to the US after Polish authorities detained after the US indicted him for cyber crimes, as revealed in a court document. A second suspect named as Yevgeniy Polyanin is also under arrest.

So far this year law enforcement agencies have arrested five people allegedly associated with the prolific ransomware group REvil. Suspected of about 7,000 infections, the recent arrested suspects asked for more than €200 million in ransom. 

Both REvil and GandCrab, believed to be operated by the same individuals, created ransomware code that they offered to other cyber criminals for rent.

Vasinskyi used a variety of hacker handles, including “Profcomserv”, the nickname behind an online service that floods phone numbers with junk calls for a fee. Prosecutors say Vasinskyi also used the monikers  “Yarik45,” and “Yaroslav2468.” These last two nicknames correspond to accounts on several top cybercrime forums as long ago as 2013, where a user named “Yaroslav2468” registered using the email address yarik45@gmail.com. 

The arrest operation involved police from countries around the world and international law enforcement agencies Europol, Eurojust, and Interpol and follow a joint operation that was able to intercept communications and seize infrastructure used during campaigns. Europol supported the operation by providing analytical support, as well analysis into malware and crypto currency. 

These arrests along with the government seizing assets it says are linked to REvil’s operations, is another step in the fight against ransomware, which has become a massive issue for US companies.  

“The arrest of Yaroslav Vasinskyi, the charges against Yevgeniy Polyanin and seizure of $6.1m of his assets, and the arrests of two other Sodinokibi/REvil actors in Romania are the culmination of close collaboration with our international, U.S. government and especially our private sector partners... The FBI has worked creatively and relentlessly to counter the criminal hackers behind Sodinokibi/REvil. Ransomware groups like them pose a serious, unacceptable threat to our safety and our economic well-being. We will continue to broadly target their actors and facilitators, their infrastructure, and their money, wherever in the world those might be.” said FBI Director Christopher Wray. 

The DoJ has seized $6.1 million in assets from the FTX crypto trading exchange, allegedly linked to REvil ransomware. The money belonged to Russian national Yevgeniy Polyanin, who has also been indicted for allegedly working with REvil to attack corporate and government targets. 

The indictments don’t explicitly say what roles Vasinskyi and Polyanin allegedly played in the attacks, only accusing them of being involved and working with other team members to carry out attacks. 

The Department of Justice says that Vasinskyi and Polyanin could each face over 100 years in prison if convicted on all counts levied against them. Two other people involved with REvil were also arrested. First advertised in January 2018, the GandCrab RaaS was initially a run-of-the-mill group who rented its code to cyber crime groups who used spam emails laced with malicious file attachments to infect users.

The group shifted its targeting at the start of 2019, when they began working with a small group of affiliates to target managed service providers in attacks aimed at corporate organisations, hoping to shift from the small ransom demands they could extract from small home users to the larger ransoms they could demand from companies whose networks they crippled.

As this new method of attack started yielding greater profits, the group closed down GrandCrab in May 2019,  and released a rebranded and improved version of their ransomware a month later, in June 2020. Known as REvil or Sodinokibi, this new RaaS portal only worked with affiliates who were willing to attack larger companies. Across the years, the REvil RaaS and its affiliates have been linked to some pretty large attacks against companies such as Apple, Acer, Telecom Argentina, and many more.

President Biden has made confronting ransomware a priority for his administration. Earlier this year, the White House enlisted more than 30 countries to join a “Counter-Ransomware Initiative,” with stated aims including improving cybersecurity and disrupting the ransomware economy, which includes the use of crypto currency.

US Dept. of Justice:   Bloomberg:  The Record:  The Verge:       BBC:    ZDNet:    Brian KrebsTechcrunch:

You Might Also Read: 

Wanted: Pipeline Hackers - $10m Reward:

 

« Inside Information: Ransomware Targets Corporate Finance
How Ethical Hacking Can Improve Your Security Posture »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

TechInsurance

TechInsurance

TechInsurance is America's top technology insurance company offering a range of technology related products including Cyber Liability insurance.

Maryville Online - Cybersecurity Program

Maryville Online - Cybersecurity Program

The Cybersecurity Program at Maryville Online is designed to help students reach opportunities in cybersecurity leadership and management through an entirely online curriculum.

CS Group

CS Group

CS Group offers a complete range of security solutions from consultancy to security maintenance and from secure infrastructure design to security governance.

TUV Sud

TUV Sud

TÜV SÜD is one of the world's leading technical service organisations. Services offered include industrial cyber security.

Nexus Group

Nexus Group

Nexus Group develops identity solutions for physical and digital access.

Mitek Systems

Mitek Systems

Mitek's global mobile capture and identity verification technology optimizes the digital user experience for thousands of financial services organizations.

Qufaro

Qufaro

Qufaro is a new initiative designed to make it simpler for those with career ambitions in cyber security to access the UK’s cyber-specific education and innovation opportunities.

3Elos

3Elos

3Elos operates in the Information Technology market with a focus on research, development, consulting, marketing and implementation of Information Security solutions.

Axxum Technologies

Axxum Technologies

Axxum Technologies is a premier provider of Network Communications and Information Technology Security Solutions.

Transmit Security

Transmit Security

The Transmit Security Platform provides a solution for managing identity across applications while maintaining security and usability.

AwareGO

AwareGO

AwareGO is a global provider of security awareness training content and solutions that help enterprises improve cybersecurity awareness in the workplace.

1Password

1Password

1Password combines industry-leading security with award-winning design to bring private, secure, and user-friendly password management to everyone.

Symmetry Systems

Symmetry Systems

Symmetry Systems is a provider of data store and object-level security (DSOS) solutions that give organizations visibility into, and unified access control of, their most valuable data assets.

IronClad Encryption (ICE)

IronClad Encryption (ICE)

Ironclad Encryption is Dynamic Encryption. The encryption sequence changes continuously so there is never a correlation between data sent and data received.

nsKnox

nsKnox

nsKnox is a fintech-security company, enabling corporations and banks to prevent fraud and ensure compliance in B2B Payments.

Bittnet Training

Bittnet Training

Bittnet Training is the leader in the IT Training market in Romania. We develop the IT skills of IT professionals as well as those who wish to start a career in IT.