Authorities from 17 countries have disclosed a month-long investigation against one of the currently most active cyber extortion groups. Europol, the American FBI and the Romanian police reported a total of seven arrests worldwide of members of the ransomware group REvil and the group GandCrab, which is considered to be the predecessor of REvil. In addition, US Attorney General Merrick Garland said $ 6.1 million in cryptocurrencies extorted from victims were confiscated. French and German investigators from the Baden-Württemberg State Office of Criminal Investigation were also involved in the operation called GoldDust.
REvil has been blamed for attacks on companies, organizations, healthcare facilities and city governments around the world. The perpetrators break into foreign computer systems, copy the data stored there and then encrypt the computers so that the victims can no longer use them. Then they offer the key for large ransom sums and threaten to publish the data if their demands are not met.
According to IT security experts, the REvil group, also known as Sodinokibi, emerged from GandCrab. It has turned this form of attack into a franchise model and rents the malicious code used to criminals, who use it to blackmail victims and share the ransom with the developers.
Two of these accomplices, known as affiliates, were arrested in Romania on November 4th, as announced by Europol and Romanian authorities on Monday. They are said to have extorted a ransom of 500,000 euros.
Suspected Kaseya hacker
In addition, based on an international arrest warrant from the USA, another REvil partner was arrested on the border between Ukraine and Poland at the beginning of October. According to the FBI, the Ukrainian named Yaroslav Vasinskyi, who acted online under the name Rabotnik, is responsible for the attack on the Kaseya company and thus for the biggest hack with REvil to date.
Kaseya is an international IT service provider that offers remote maintenance software. On the one hand, the company itself was blackmailed, and the perpetrators demanded a $ 70 million ransom for the decryption of the hijacked systems. On the other hand, around 1,500 Kaseya customers were subsequently attacked - because the perpetrators gained access to the systems of those companies via Kaseya that used the service provider's remote maintenance service.
In addition to these three suspects, three other suspects were arrested in South Korea in February, April and October , who are also alleged to be so-called affiliates of GandCrab. A seventh accomplice was arrested in Kuwait in early November. According to Europol, all of them are said to have attacked and blackmailed more than 7,000 victims worldwide.
$ 10 million bounty for the backers
Such attacks are a serious threat to the US, said Attorney General Garland. Some time ago, the US government had given the fight against ransomware a status similar to that against terrorism. The US Department of Justice is using every possible resource "to find anyone who is attacking the US with ransomware," Garland said.
But even if those arrested are responsible for many attacks and the Kaseya hack seems to have been cleared up, the people behind REvil have still not been found. Despite all their efforts, such a thing seldom succeeds, since they are mostly in countries like Russia, which do not extradite citizens and hardly take action against the perpetrators themselves. ( Here is a report on one of the alleged distributors of the ransomware ) According to a report by the Washington Post , the US State Department wants to offer a bounty of ten million dollars for clues about the people behind it.
0 Comments