A Tough Week for REvil Ransomware
Ransomware Group Affiliates Arrested. $10 million Bounty for the Whereabouts of the Group’s Leaders.
The REvil/Sodinokibi ransomware (AKA Sodin) is a great example of Ransomware-as-a-Service, a type of cybercrime where two parties collaborate on the hack: the code writers who create the ransomware, and the affiliates who distribute it and collect the payment.
Ransomware-as-a-Service is an illegal ‘parent-affiliate(s)’ business architecture in which operators (i.e., malicious software owner and/or creator) provide tools to affiliates (i.e., customers) for ransomware attacks.
REvil/Sodinokibi is a highly elusive ransomware that employs a unique social engineering technique in which those spreading its promises double the ransom if it is not paid within a specified number of days. This is why Sodinokibi ransomware represents a high risk for businesses of all sizes. Sodinokibi, also known as Sodin or REvil, quickly rose to become the world’s fourth most widely circulated ransomware, mostly targeting American and European businesses.
REvil Affiliates Arrested in Romania
DIICOT (the Romanian Directorate for Investigating Organized Crime and Terrorism) and judicial police officers searched four homes in Constanța, confiscating mobile devices (laptops, phones) and storage media.
The Bucharest Tribunal ordered pre-trial detention for the two REvil affiliates that will last for 30 days.
According to Europol (the European Union Agency for Law Enforcement Cooperation), the arrests are the result of operation GoldDust.
Since 2018, Europol has supported a Romanian-led investigation which targets the GandCrab ransomware family and involved law enforcement authorities from a number of countries, including the United Kingdom and the United States.
All these arrests follow the joint international law enforcement efforts of identification, wiretapping and seizure of some of the infrastructure used by Sodinokibi/REvil ransomware family, which is seen as the successor of GandCrab.
A Large Bounty Offered by the US for Information Regarding REvil Affiliates
In an interview with the Associated Press on November 4, US Deputy Attorney General Lisa Monaco also stated that the US will crackdown on ransomware activities, and is offering up to $10 million for information leading to the identification or location of leaders in the REvil (Sodinokibi) ransomware operation, including $5 million for information leading to the arrest of affiliates.
This prize is being provided as part of the Department of State’s Transnational Organized Criminal Compensates Program (TOCRP), which rewards informants for information leading to the arrest or conviction of members of transnational organized crime groups.
The Department of State is offering a reward of up to $10,000,000 for information leading to the identification or location of any individual holding a key leadership position in the Sodinokibi ransomware variant transnational organized crime group. In addition, the Department is offering a reward offer of up to $5,000,000 for information leading to the arrest and/or conviction in any country of any individual conspiring to participate in or attempting to participate in a Sodinokibi variant ransomware incident.
This reward is offered under the Department of State’s Transnational Organized Crime Rewards Program (TOCRP). The Department manages the TOCRP in close coordination with our federal law enforcement partners as part of a whole of government effort to disrupt and dismantle transnational organized crime globally, including cybercrime. More than 75 transnational criminals and major narcotics traffickers have been brought to justice under the TOCRP and the Narcotics Rewards Program since 1986. The Department has paid more than $135 million in rewards to date.
A REvil ransomware associate who was responsible for the Kaseya MSP assault was just apprehended.
Yaroslav Vasinskyi, a 22-year-old Ukrainian national, was apprehended for cybercrime at the request of the US while attempting to enter Poland from his home country.
Vasinskyi has a number of aliases, including Profcomserv, Rabotnik, Rabotnik New, Yarik45, Yaraslav2468, and Affiliate 22. He is one of seven REvil ransomware associates caught thus far in extensive worldwide operations to tackle the ransomware problem.
In a press conference today, the DoJ announced the charges against Vasinskyi, underlining his involvement in the Kaseya attack that impacted around 1,500 businesses worldwide.
Vasinskyi has been a long-time affiliate of the REvil ransomware organization, having been a member of it since at least March 1st, 2019, and has carried out around 2,500 operations against firms worldwide.
According to the inquiry, Vasinskyi’s ransom demands totaled $767 million, but victims only paid $2.3 million. The operator is suspected of deploying ransomware on the networks of at least nine firms in the United States.
The United States has now requested Vasinskyi’s extradition and has unsealed the allegations against him.
How Can Heimdal™ Help?
In the fight against ransomware, Heimdal™ Security is offering its customers an outstanding integrated cybersecurity suite including the Ransomware Encryption Protection module. This module is universally compatible with any antivirus solution, and is 100% signature-free, ensuring superior detection and remediation of any type of ransomware, whether fileless or file-based (including the most recent ones like LockFile).