REvil Ransomware Gang Leaders Arrested in Poland

Uploaded on 2021-11-10 in TECHNOLOGY--Hackers, GOVERNMENT-Law Enforcement, FREE TO VIEW

A global police operation has dealt a serious blow to one of the most prolific cyber crime gangs currently operating. 

The coordinated action against the ransomware gangs was announced on Monday 8th November by Romanian police, the US Department of Justice (DoJ) and Europol. 

The suspects worked part of the REvil (Sodinokibi) and GandCrab Ransomware-as-a-Service (RaaS) operations. According to the DoJ, a 22 year old Ukrainian national, Yaroslav Vasinskyi is facing extradition to the US after Polish authorities detained after the US indicted him for cyber crimes, as revealed in a court document. A second suspect named as Yevgeniy Polyanin is also under arrest.

So far this year law enforcement agencies have arrested five people allegedly associated with the prolific ransomware group REvil. Suspected of about 7,000 infections, the recent arrested suspects asked for more than €200 million in ransom. 

Both REvil and GandCrab, believed to be operated by the same individuals, created ransomware code that they offered to other cyber criminals for rent.

Vasinskyi used a variety of hacker handles, including “Profcomserv”, the nickname behind an online service that floods phone numbers with junk calls for a fee. Prosecutors say Vasinskyi also used the monikers  “Yarik45,” and “Yaroslav2468.” These last two nicknames correspond to accounts on several top cybercrime forums as long ago as 2013, where a user named “Yaroslav2468” registered using the email address yarik45@gmail.com. 

The arrest operation involved police from countries around the world and international law enforcement agencies Europol, Eurojust, and Interpol and follow a joint operation that was able to intercept communications and seize infrastructure used during campaigns. Europol supported the operation by providing analytical support, as well analysis into malware and crypto currency. 

These arrests along with the government seizing assets it says are linked to REvil’s operations, is another step in the fight against ransomware, which has become a massive issue for US companies.  

“The arrest of Yaroslav Vasinskyi, the charges against Yevgeniy Polyanin and seizure of $6.1m of his assets, and the arrests of two other Sodinokibi/REvil actors in Romania are the culmination of close collaboration with our international, U.S. government and especially our private sector partners... The FBI has worked creatively and relentlessly to counter the criminal hackers behind Sodinokibi/REvil. Ransomware groups like them pose a serious, unacceptable threat to our safety and our economic well-being. We will continue to broadly target their actors and facilitators, their infrastructure, and their money, wherever in the world those might be.” said FBI Director Christopher Wray. 

The DoJ has seized $6.1 million in assets from the FTX crypto trading exchange, allegedly linked to REvil ransomware. The money belonged to Russian national Yevgeniy Polyanin, who has also been indicted for allegedly working with REvil to attack corporate and government targets. 

The indictments don’t explicitly say what roles Vasinskyi and Polyanin allegedly played in the attacks, only accusing them of being involved and working with other team members to carry out attacks. 

The Department of Justice says that Vasinskyi and Polyanin could each face over 100 years in prison if convicted on all counts levied against them. Two other people involved with REvil were also arrested. First advertised in January 2018, the GandCrab RaaS was initially a run-of-the-mill group who rented its code to cyber crime groups who used spam emails laced with malicious file attachments to infect users.

The group shifted its targeting at the start of 2019, when they began working with a small group of affiliates to target managed service providers in attacks aimed at corporate organisations, hoping to shift from the small ransom demands they could extract from small home users to the larger ransoms they could demand from companies whose networks they crippled.

As this new method of attack started yielding greater profits, the group closed down GrandCrab in May 2019,  and released a rebranded and improved version of their ransomware a month later, in June 2020. Known as REvil or Sodinokibi, this new RaaS portal only worked with affiliates who were willing to attack larger companies. Across the years, the REvil RaaS and its affiliates have been linked to some pretty large attacks against companies such as Apple, Acer, Telecom Argentina, and many more.

President Biden has made confronting ransomware a priority for his administration. Earlier this year, the White House enlisted more than 30 countries to join a “Counter-Ransomware Initiative,” with stated aims including improving cybersecurity and disrupting the ransomware economy, which includes the use of crypto currency.

US Dept. of Justice:   Bloomberg:  The Record:  The Verge:       BBC:    ZDNet:    Brian KrebsTechcrunch:

You Might Also Read: 

Wanted: Pipeline Hackers - $10m Reward:

 

« Inside Information: Ransomware Targets Corporate Finance
How Ethical Hacking Can Improve Your Security Posture »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Blueliv

Blueliv

Blueliv is a leading provider of targeted cyber threat information and intelligence. We deliver automated and actionable threat intelligence to protect the enterprise and manage your digital risk.

Malomatia

Malomatia

Malomatia is a leading provider of technology services and solutions in Qatar including information security.

Cryptsoft

Cryptsoft

Cryptsoft provides key management and security software development toolkits based around open standards such as OASIS KMIP and PKCS#11.

Safe Security

Safe Security

Safe Security (formerly Lucideus) provides Cyber risk assessment services and platforms to multiple Fortune 500 companies and governments across the globe.

IFE Digital Systems

IFE Digital Systems

IFE Digital Systems conducts research, development and consultancy in risk, safety and security related to digital systems in critical infrastructure.

Ensconce Data Technology (EDT)

Ensconce Data Technology (EDT)

EDT’s focus is on providing solutions to properly sanitize Solid State Drives (SSD) and Magnetic Drives (HDD) before they are disposed or redeployed.

SynerLeap

SynerLeap

SynerLeap is ABB's innovation growth hub. Our aim is to help startups accelerate and expand across industries, ranging from industrial automation and robotics to grid technologies and smart cities.

Nihon Cyber Defense

Nihon Cyber Defense

Nihon Cyber Defence’s mission is to provide robust solutions, services and support to governments, corporates and organisations in order to protect them from all forms of cyber warfare.

Ascend Technologies

Ascend Technologies

Ascend Technologies offers a full suite of managed IT services including: Cloud & Infrastructure Management, Cybersecurity Management, Service Desk Management, Application Management , Data Management

Fortiphyd Logic

Fortiphyd Logic

Fortiphyd Logic equips operators of the power grid, oil & gas, and other critical infrastructure with the tools and training they need to defend their industrial networks from advanced cyberattacks.

Futurae Technologies

Futurae Technologies

Futurae - enabling trust and invisible security for your users on all devices and applications. Strong customer authentication (SCA) made easy.

Digistor

Digistor

Digistor is a leading manufacturer of industrial-grade flash storage products, secure storage products, and Removable Secure Data Storage.

ORS Consulting

ORS Consulting

ORS Consulting is a specialist provider of risk management advisory services supporting asset-intensive industries such as chemicals, energy, power and utilities, defence and maritime.

V2X

V2X

V2X delivers IT support, networking, and cybersecurity solutions that ensure optimal mission support and performance.

Xcelerate Solutions

Xcelerate Solutions

Xcelerate Solutions is a leading defense and national security company, providing integrated solutions in three service areas – Enterprise Security, Digital Transformation, and Strategic Consulting.

MIND

MIND

MIND is the first-ever data security platform that puts data loss prevention and insider risk management programs on autopilot, so you can automatically identify, detect and prevent data leaks.