REvil Ransomware Gang Leaders Arrested in Poland
A global police operation has dealt a serious blow to one of the most prolific cyber crime gangs currently operating.
The coordinated action against the ransomware gangs was announced on Monday 8th November by Romanian police, the US Department of Justice (DoJ) and Europol.
The suspects worked part of the REvil (Sodinokibi) and GandCrab Ransomware-as-a-Service (RaaS) operations. According to the DoJ, a 22 year old Ukrainian national, Yaroslav Vasinskyi is facing extradition to the US after Polish authorities detained after the US indicted him for cyber crimes, as revealed in a court document. A second suspect named as Yevgeniy Polyanin is also under arrest.
So far this year law enforcement agencies have arrested five people allegedly associated with the prolific ransomware group REvil. Suspected of about 7,000 infections, the recent arrested suspects asked for more than €200 million in ransom.
Both REvil and GandCrab, believed to be operated by the same individuals, created ransomware code that they offered to other cyber criminals for rent.
Vasinskyi used a variety of hacker handles, including “Profcomserv”, the nickname behind an online service that floods phone numbers with junk calls for a fee. Prosecutors say Vasinskyi also used the monikers “Yarik45,” and “Yaroslav2468.” These last two nicknames correspond to accounts on several top cybercrime forums as long ago as 2013, where a user named “Yaroslav2468” registered using the email address yarik45@gmail.com.
The arrest operation involved police from countries around the world and international law enforcement agencies Europol, Eurojust, and Interpol and follow a joint operation that was able to intercept communications and seize infrastructure used during campaigns. Europol supported the operation by providing analytical support, as well analysis into malware and crypto currency.
These arrests along with the government seizing assets it says are linked to REvil’s operations, is another step in the fight against ransomware, which has become a massive issue for US companies.
“The arrest of Yaroslav Vasinskyi, the charges against Yevgeniy Polyanin and seizure of $6.1m of his assets, and the arrests of two other Sodinokibi/REvil actors in Romania are the culmination of close collaboration with our international, U.S. government and especially our private sector partners... The FBI has worked creatively and relentlessly to counter the criminal hackers behind Sodinokibi/REvil. Ransomware groups like them pose a serious, unacceptable threat to our safety and our economic well-being. We will continue to broadly target their actors and facilitators, their infrastructure, and their money, wherever in the world those might be.” said FBI Director Christopher Wray.
The DoJ has seized $6.1 million in assets from the FTX crypto trading exchange, allegedly linked to REvil ransomware. The money belonged to Russian national Yevgeniy Polyanin, who has also been indicted for allegedly working with REvil to attack corporate and government targets.
The indictments don’t explicitly say what roles Vasinskyi and Polyanin allegedly played in the attacks, only accusing them of being involved and working with other team members to carry out attacks.
The Department of Justice says that Vasinskyi and Polyanin could each face over 100 years in prison if convicted on all counts levied against them. Two other people involved with REvil were also arrested. First advertised in January 2018, the GandCrab RaaS was initially a run-of-the-mill group who rented its code to cyber crime groups who used spam emails laced with malicious file attachments to infect users.
The group shifted its targeting at the start of 2019, when they began working with a small group of affiliates to target managed service providers in attacks aimed at corporate organisations, hoping to shift from the small ransom demands they could extract from small home users to the larger ransoms they could demand from companies whose networks they crippled.
As this new method of attack started yielding greater profits, the group closed down GrandCrab in May 2019, and released a rebranded and improved version of their ransomware a month later, in June 2020. Known as REvil or Sodinokibi, this new RaaS portal only worked with affiliates who were willing to attack larger companies. Across the years, the REvil RaaS and its affiliates have been linked to some pretty large attacks against companies such as Apple, Acer, Telecom Argentina, and many more.
President Biden has made confronting ransomware a priority for his administration. Earlier this year, the White House enlisted more than 30 countries to join a “Counter-Ransomware Initiative,” with stated aims including improving cybersecurity and disrupting the ransomware economy, which includes the use of crypto currency.
US Dept. of Justice: Bloomberg: The Record: The Verge: BBC: ZDNet: Brian Krebs: Techcrunch:
You Might Also Read:
Wanted: Pipeline Hackers - $10m Reward: