REvil ransomware affiliates arrested in international takedown

Two suspected REvil ransomware affiliates were arrested by Romanian authorities last Thursday as part of an international law enforcement operation, Europol announced Monday.

The arrests were made as part of "Operation GoldDust," a REvil ransomware takedown campaign conducted by Europol, Eurojust, Interpol and 17 countries across multiple continents. Europol said in its press release that in addition to the two Nov. 4 arrests, five other suspected affiliates have been arrested since February: three REvil affiliates and two GandCrab affiliates.

The two suspects were allegedly responsible for 5,000 ransomware infections and received approximately half a million euros in ransom payments. 

"All these arrests follow the joint international law enforcement efforts of identification, wiretapping and seizure of some of the infrastructure used by Sodinokibi/REvil ransomware family, which is seen as the successor of GandCrab," the press release read.

Europol said Operation GoldDust was built from leads discovered in a previous investigation that targeted the GandCrab ransomware operation. Adam Meyer, vice president of intelligence at CrowdStrike, detailed various connections between GandCrab and REvil in a July blog post.

Europol released few details regarding the Nov. 4 arrests by Romanian authorities, but the press release gave slightly more detail on the other five arrests made as part of GoldDust. In February, April and October, a total of three GandCrab and REvil affiliates were arrested in South Korea. In October, another REvil affiliate was arrested in Europe, though no other details were provided. Lastly, also on Nov. 4, Kuwaiti authorities arrested a GandCrab affiliate.

The seven suspects arrested since February are suspected to have been responsible for a total of 7,000 ransomware infections, and to have made a total of 200 million euros in ransom demands, though how much victims actually paid is unknown.

The Europol post also referenced No More Ransom, a collaboration between private-sector security companies and the agency to provide decryption tools for ransomware victims. As part of Operation GoldDust, GandCrab and REvil decryption tools were released this year in partnership with Bitdefender.

In an email to SearchSecurity, a Europol spokesperson said Operation GoldDust "lasted rather long" and that "the decryptors were made available during this period. Bitdefender supported this investigation by providing also decryption tools for Sodinokibi/REvil and GandCrab ransomware families."

The decryptors have had a major impact on ransomware victims, according to Europol.

"The Sodinokibi/REvil decryption tools helped more than 1400 companies decrypt their networks, saving them almost €475 million in potential losses," the press release said. "The tools made available for both ransomware families enabled more than 50,000 decryptions, for which cybercriminals had asked about €520 million in ransom."

Alexander Culafi is a writer, journalist and podcaster based in Boston.