REvil Ransomware Gang Leaders Arrested in Poland

Uploaded on 2021-11-10 in TECHNOLOGY--Hackers, GOVERNMENT-Law Enforcement, FREE TO VIEW

A global police operation has dealt a serious blow to one of the most prolific cyber crime gangs currently operating. 

The coordinated action against the ransomware gangs was announced on Monday 8th November by Romanian police, the US Department of Justice (DoJ) and Europol. 

The suspects worked part of the REvil (Sodinokibi) and GandCrab Ransomware-as-a-Service (RaaS) operations. According to the DoJ, a 22 year old Ukrainian national, Yaroslav Vasinskyi is facing extradition to the US after Polish authorities detained after the US indicted him for cyber crimes, as revealed in a court document. A second suspect named as Yevgeniy Polyanin is also under arrest.

So far this year law enforcement agencies have arrested five people allegedly associated with the prolific ransomware group REvil. Suspected of about 7,000 infections, the recent arrested suspects asked for more than €200 million in ransom. 

Both REvil and GandCrab, believed to be operated by the same individuals, created ransomware code that they offered to other cyber criminals for rent.

Vasinskyi used a variety of hacker handles, including “Profcomserv”, the nickname behind an online service that floods phone numbers with junk calls for a fee. Prosecutors say Vasinskyi also used the monikers  “Yarik45,” and “Yaroslav2468.” These last two nicknames correspond to accounts on several top cybercrime forums as long ago as 2013, where a user named “Yaroslav2468” registered using the email address yarik45@gmail.com. 

The arrest operation involved police from countries around the world and international law enforcement agencies Europol, Eurojust, and Interpol and follow a joint operation that was able to intercept communications and seize infrastructure used during campaigns. Europol supported the operation by providing analytical support, as well analysis into malware and crypto currency. 

These arrests along with the government seizing assets it says are linked to REvil’s operations, is another step in the fight against ransomware, which has become a massive issue for US companies.  

“The arrest of Yaroslav Vasinskyi, the charges against Yevgeniy Polyanin and seizure of $6.1m of his assets, and the arrests of two other Sodinokibi/REvil actors in Romania are the culmination of close collaboration with our international, U.S. government and especially our private sector partners... The FBI has worked creatively and relentlessly to counter the criminal hackers behind Sodinokibi/REvil. Ransomware groups like them pose a serious, unacceptable threat to our safety and our economic well-being. We will continue to broadly target their actors and facilitators, their infrastructure, and their money, wherever in the world those might be.” said FBI Director Christopher Wray. 

The DoJ has seized $6.1 million in assets from the FTX crypto trading exchange, allegedly linked to REvil ransomware. The money belonged to Russian national Yevgeniy Polyanin, who has also been indicted for allegedly working with REvil to attack corporate and government targets. 

The indictments don’t explicitly say what roles Vasinskyi and Polyanin allegedly played in the attacks, only accusing them of being involved and working with other team members to carry out attacks. 

The Department of Justice says that Vasinskyi and Polyanin could each face over 100 years in prison if convicted on all counts levied against them. Two other people involved with REvil were also arrested. First advertised in January 2018, the GandCrab RaaS was initially a run-of-the-mill group who rented its code to cyber crime groups who used spam emails laced with malicious file attachments to infect users.

The group shifted its targeting at the start of 2019, when they began working with a small group of affiliates to target managed service providers in attacks aimed at corporate organisations, hoping to shift from the small ransom demands they could extract from small home users to the larger ransoms they could demand from companies whose networks they crippled.

As this new method of attack started yielding greater profits, the group closed down GrandCrab in May 2019,  and released a rebranded and improved version of their ransomware a month later, in June 2020. Known as REvil or Sodinokibi, this new RaaS portal only worked with affiliates who were willing to attack larger companies. Across the years, the REvil RaaS and its affiliates have been linked to some pretty large attacks against companies such as Apple, Acer, Telecom Argentina, and many more.

President Biden has made confronting ransomware a priority for his administration. Earlier this year, the White House enlisted more than 30 countries to join a “Counter-Ransomware Initiative,” with stated aims including improving cybersecurity and disrupting the ransomware economy, which includes the use of crypto currency.

US Dept. of Justice:   Bloomberg:  The Record:  The Verge:       BBC:    ZDNet:    Brian KrebsTechcrunch:

You Might Also Read: 

Wanted: Pipeline Hackers - $10m Reward:

 

« Inside Information: Ransomware Targets Corporate Finance
How Ethical Hacking Can Improve Your Security Posture »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Bromium

Bromium

Bromium deliver a new technology called micro-virtualization to address the enterprise security problem and provide protection for end users against advanced malware.

FireMon

FireMon

FireMon is the only agile network security policy platform for firewalls and cloud security groups providing the fastest way to streamline network security policy management.

Logscape

Logscape

Logscape provides a big data analytical tool for log file analysis and operational analytics.

Akheros

Akheros

Akheros develops cybersecurity learning algorithms which anticipate, detect and prevent offensive and incongruous behaviors of M2M interactions.

Decision Group

Decision Group

Decision Group are a Total Solution Supplier offering Network Forensics and Lawful Interception tools.

SEC Consult

SEC Consult

SEC Consult is a leading European consultancy for application security services and information security.

Scientific Cyber Security Association (SCSA)

Scientific Cyber Security Association (SCSA)

The main goal of Scientific Cyber Security Association is the development of scientific and practical directions of cyber security.

CyberDegrees.org

CyberDegrees.org

CyberDegrees.org aims to provide top-notch information for students seeking Cyber Security education and career guidance.

NewGens

NewGens

NewGens is a solution and service provider to banking institutions in the APAC region. Areas of expertise include cybersecurity, AML, fruad prevention, compliance and risk management.

Stellar Cyber

Stellar Cyber

Stellar Cyber makes Open XDR, the only comprehensive security platform providing maximum protection of applications and data wherever they reside.

RiskXchange

RiskXchange

RiskXchange's cybersecurity risk rating solution helps businesses solve complex cybersecurity and compliance challenges by providing a 360-degree view of your cybersecurity posture.

Hyperion Gray

Hyperion Gray

Hyperion Gray are a small research and development team focused on innovative work in a variety of areas including Software & Security Research, Penetration Testing, Incident Response, and Red Teaming

SecureData

SecureData

SecureData provide professional data recovery services, digital forensics, data recovery software and FIPS 140-2 Level 3 Validated hardware encrypted drives.

Conversant Group

Conversant Group

Conversant Group is an IT infrastructure and security consulting company, providing technical, organizational, procedural, and process consulting internationally.

LoughTec

LoughTec

LoughTec secure, manage and connect IT infrastructure for businesses and organisations throughout the UK and Republic of Ireland.

Flawnter

Flawnter

Flawnter is a security testing software that finds hidden security and quality flaws in your applications.