Skip to content

Search the site

REvil ransomware "affiliates" arrested, including alleged Kaseya hacker

Europol has announced the arrests of seven REvil/GandCrab ransomware group "affiliates". The arrests came as part of a global effort called operation "GoldDust" intended to take the fight to cybercriminals. This involved 17 different countries and cybersecurity companies BitDefender, KPN and McAfee Enterprises.

The REvil arrests follow aggressive action by the US against the Ransomware-as-a-Service (RaaS) syndicate, which has been widely active since 2019. That included the alleged successful breach of REvil's Tor-based and other IT infrastructure by the US and partners, according to Reuters reports on October 21.

The US Department of Justice meanwhile on November 8 also announced indictments against a Ukrainian and a Russian national and the seizure of $6.1 million in alleged ransom payments. The Ukrainian, Yaroslav Vasinskyi, 22, was arrested travelling to Poland. He has been charged with leading the attack against software company Kaseya this summer -- a supply chain attack that spawned thousands of downstream incidents.

See also: MSPs used as ransomware conduit after Kaseya remote access tool breached: 1,000s hit

Most ransomware organisations now operate on a RaaS basis, with trusted affiliates making operational decisions on who to target, as well as running the spearphishing and other campaigns that get them an initial foothold on target networks in order to deploy ransomware/extort victims. FBI statements suggest  Vasinskyi was a prolific affiliate -- and FBI Director Christopher Wray particularly praised Kaseya for its rapid notification of the agency after getting hacked, saying this helped it harvest critical intelligence on the ransomware gang.

Wray said: "... [Kaseya] engaged with us early. The FBI coordinated with a host of key partners—including CISA and foreign law enforcement and intelligence services—so Kaseya could benefit from all of our expertise and reach as it worked to put out the fire. Kaseya’s swift response allowed the FBI and our partners to quickly figure out which of its customers were hit and for us to quickly share with Kaseya and its customers information about what the adversaries were doing, what to look for, and how the companies could best address the danger."

He added: "When the FBI is engaged early, we can provide victims more and better support. We get them the intelligence and technical information they need faster. And we can quickly work back from that intrusion to follow and seize the criminals’ money before it can jump through wallet after wallet and exchange after exchange, identify other victims about to be hit or in the early stages of further attacks, and make connections between what the reporting victim sees and intelligence we gather from around the world, arming both the private sector and our government partners with insights they can act on."

The latest brace of Europol-led REvil arrests meanwhile were made in Romania. The two individuals arrested had alone caused over 5,000 ransomware infections. They follow arrests in "Europe", Kuwait, and South Korea, Europol said November 8. The European Union law enforcement agency went out of its way to thank private sector partners in the wake of the arrests, emphasising: "The support from the cybersecurity sector has proven crucial for minimising the damage from ransomware attacks, still the biggest cybercrime threat. Many partners have already provided decryption tools for a number of ransomware families via the No More Ransom website.

The agency added in a press release: "Bitdefender supported this investigation by providing key technical insights throughout the entire investigation, along with decryption tools for both of these highly prolific ransomware families to help victims recover their files.

See also: How a devastating ransomware attack forced a radical security rethink at this multinational

"KPN and McAfee Enterprises are other private sector partners that have also supported this investigation, by providing technical expertise to law enforcement."

As security researcher Marcus Hutchins noted on Twitter: "With today's ransomware it's affiliates who decided what companies to go after, hack their networks, and deploy ransomware. Arresting them is probably more important than the operators, who are in non-extradition countries and really only reduce overhead."

Bitdefender's Bogdan Botezatu added that the company's DRACO Team provided "cybersecurity consulting and guidance especially in areas of cryptography, forensics, and investigations that helped the law enforcement consortium in this operation minimize the impact of successful ransomware attacks, and eventually led to arrests. This collaboration with law enforcement is a prime example of the public and private sector working together to significantly disrupt cybercriminal activities."

Europol facilitated "information exchange, supported the coordination of operation GoldDust and provided operational analytical support, as well as cryptocurrency, malware and forensic analysis" it said of the campaign, which brought in authorities in Australia, Belgium, Canada, France, Germany, the Netherlands, Luxembourg,  Norway, Philippines, Poland, Romania, South Korea, Sweden, Switzerland, Kuwait, the UK and the US.

Follow The Stack on LinkedIn