REvil Ransomware Gang Leaders Arrested in Poland

Uploaded on 2021-11-10 in TECHNOLOGY--Hackers, GOVERNMENT-Law Enforcement, FREE TO VIEW

A global police operation has dealt a serious blow to one of the most prolific cyber crime gangs currently operating. 

The coordinated action against the ransomware gangs was announced on Monday 8th November by Romanian police, the US Department of Justice (DoJ) and Europol. 

The suspects worked part of the REvil (Sodinokibi) and GandCrab Ransomware-as-a-Service (RaaS) operations. According to the DoJ, a 22 year old Ukrainian national, Yaroslav Vasinskyi is facing extradition to the US after Polish authorities detained after the US indicted him for cyber crimes, as revealed in a court document. A second suspect named as Yevgeniy Polyanin is also under arrest.

So far this year law enforcement agencies have arrested five people allegedly associated with the prolific ransomware group REvil. Suspected of about 7,000 infections, the recent arrested suspects asked for more than €200 million in ransom. 

Both REvil and GandCrab, believed to be operated by the same individuals, created ransomware code that they offered to other cyber criminals for rent.

Vasinskyi used a variety of hacker handles, including “Profcomserv”, the nickname behind an online service that floods phone numbers with junk calls for a fee. Prosecutors say Vasinskyi also used the monikers  “Yarik45,” and “Yaroslav2468.” These last two nicknames correspond to accounts on several top cybercrime forums as long ago as 2013, where a user named “Yaroslav2468” registered using the email address yarik45@gmail.com. 

The arrest operation involved police from countries around the world and international law enforcement agencies Europol, Eurojust, and Interpol and follow a joint operation that was able to intercept communications and seize infrastructure used during campaigns. Europol supported the operation by providing analytical support, as well analysis into malware and crypto currency. 

These arrests along with the government seizing assets it says are linked to REvil’s operations, is another step in the fight against ransomware, which has become a massive issue for US companies.  

“The arrest of Yaroslav Vasinskyi, the charges against Yevgeniy Polyanin and seizure of $6.1m of his assets, and the arrests of two other Sodinokibi/REvil actors in Romania are the culmination of close collaboration with our international, U.S. government and especially our private sector partners... The FBI has worked creatively and relentlessly to counter the criminal hackers behind Sodinokibi/REvil. Ransomware groups like them pose a serious, unacceptable threat to our safety and our economic well-being. We will continue to broadly target their actors and facilitators, their infrastructure, and their money, wherever in the world those might be.” said FBI Director Christopher Wray. 

The DoJ has seized $6.1 million in assets from the FTX crypto trading exchange, allegedly linked to REvil ransomware. The money belonged to Russian national Yevgeniy Polyanin, who has also been indicted for allegedly working with REvil to attack corporate and government targets. 

The indictments don’t explicitly say what roles Vasinskyi and Polyanin allegedly played in the attacks, only accusing them of being involved and working with other team members to carry out attacks. 

The Department of Justice says that Vasinskyi and Polyanin could each face over 100 years in prison if convicted on all counts levied against them. Two other people involved with REvil were also arrested. First advertised in January 2018, the GandCrab RaaS was initially a run-of-the-mill group who rented its code to cyber crime groups who used spam emails laced with malicious file attachments to infect users.

The group shifted its targeting at the start of 2019, when they began working with a small group of affiliates to target managed service providers in attacks aimed at corporate organisations, hoping to shift from the small ransom demands they could extract from small home users to the larger ransoms they could demand from companies whose networks they crippled.

As this new method of attack started yielding greater profits, the group closed down GrandCrab in May 2019,  and released a rebranded and improved version of their ransomware a month later, in June 2020. Known as REvil or Sodinokibi, this new RaaS portal only worked with affiliates who were willing to attack larger companies. Across the years, the REvil RaaS and its affiliates have been linked to some pretty large attacks against companies such as Apple, Acer, Telecom Argentina, and many more.

President Biden has made confronting ransomware a priority for his administration. Earlier this year, the White House enlisted more than 30 countries to join a “Counter-Ransomware Initiative,” with stated aims including improving cybersecurity and disrupting the ransomware economy, which includes the use of crypto currency.

US Dept. of Justice:   Bloomberg:  The Record:  The Verge:       BBC:    ZDNet:    Brian KrebsTechcrunch:

You Might Also Read: 

Wanted: Pipeline Hackers - $10m Reward:

 

« Inside Information: Ransomware Targets Corporate Finance
How Ethical Hacking Can Improve Your Security Posture »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

Anomali

Anomali

Anomali delivers intelligence-driven cybersecurity solutions to enhance threat visibility, automate threat processing and detection, and accelerate threat investigation, response, and remediation.

Japan Network Security Association (JNSA)

Japan Network Security Association (JNSA)

JNSA's goal is to promote standardization related to network security and to contribute to greater technological standards in the field.

Alan Boswell Group

Alan Boswell Group

We are a Group of Companies providing specialist Insurance Broking and Risk Management advice and services including Cyber Risk cover.

idappcom

idappcom

idappcom provides unique industry approved software solutions for auditing and enhancing the threat recognition and response capabilities of your corporate security defences.

Quick Heal Technologies

Quick Heal Technologies

Quick Heal Technologies is a leading IT security solutions provider focused on endpoint and network security solutions.

Teramind

Teramind

Teramind provides a user-centric security approach to monitor employee behavior in order to identify suspicious activity, detect possible threats, monitor efficiency, and ensure industry compliance.

Aptible

Aptible

Aptible is a Platform as a Service (PaaS) that gives startups everything developers need to launch and scale apps and databases that are secure, reliable, and compliant.

ThreadStone Cyber Security

ThreadStone Cyber Security

ThreadStone Cyber Security offer reliable, practical and affordable cyber security solutions for both large and smaller organizations that we develop and deliver ourselves from Europe.

Dale Peterson

Dale Peterson

Dale Peterson, a leading ICS security and control system IT information expert, provides consulting services to assess and improve the security of SCADA and DCS.

European Cyber Security Conference

European Cyber Security Conference

EU Cyber Security Conference will debate what Europe’s response to evolving threats in a dynamic global risk landscape should look like and what the next steps for all actors of the ecosystem.

ValueMentor

ValueMentor

ValueMentor is a leading cyber security service provider in the Middle East. We enable clients to reduce risk by taking a strategic approach to cybersecurity.

CyberCatch

CyberCatch

CyberCatch provides an innovative cybersecurity Software-as-a-Service (SaaS) platform designed for SMBs.

Flare Systems

Flare Systems

Flare proactively detects and remediates exposure across the clear & dark web, providing organizations with the equivalent of an automated cyber reconnaissance team.

Entech

Entech

Entech is a managed IT service provider. We work behind the scenes on your network to ensure data security and integrity.

ViroSafe

ViroSafe

ViroSafe is a leading value-added distributor of IT security solutions in Norway.

Clumio

Clumio

Clumio provides autonomous backup and recovery for critical cloud data.