Suspected leading member of REvil gang identified in Russia

Sicherheit (Pexels, allgemeine Nutzung)[German]After all, the REvil ransomware gang is notorious for many cyber attacks. After its infrastructure was dismantled by law enforcement, the group disappeared, came back, and disappeared again. But who are the masterminds or backers of this group. German investigators have now managed to identify a leading member of the core group – now a millionaire – behind the infamous Revil malware in Russia.


The REvil group

The REvil ransomware gang (also known as Sodinokibi) is one of the most aggressive cyber actors in recent times, offering "ransomware as a service." To market itself, the group uses a kind of affiliate program where third parties are allowed to use its malware programs for criminal purposes. The group then receives a portion of the extorted funds as commission.

The attack on meat packer JBS and most recently the supply chain attack on U.S. manufacturer Kaseya (see Kaseya hack affects 1,500 companies worldwide) have raised plenty of dust. But smaller companies have also fallen victim to the gang. In mid-July 2021, the websites of the REvil group as well as their payment servers and infrastructure were shut down (I had reported in the blog post REvil Ransomware Group server and infrastructure is shut down).

A few weeks ago, a decryptor for REvil-encrypted files had been released (Bitdefender provides universal REvil decryptor). Furthermore, it became known that the ransomware gang had cheated on their own partners. While the gangs that had booked REvil's services and infected victims were still negotiating ransom, the REvil people got involved in those negotiations via a backdoor and took over the ransom.  A few days ago, actors from the group were back online, but stopped operations again after Tor servers were compromised (see REvil cyber gang suspends activities after hijacking Tor sites). 

A leading member identified

Getting to those leading members behind these groups is a difficult proposition. I just came across it on Twitter via the following tweet that German law enforcement may have had success with this approach. LKA investigators have been tracking bitcoin ransom payments in various extortion cases and found what they were looking for.

REvil-Hintermann identifiziert


German media BR (article) and Zeit Online (article) have investigated this matter. A suspected mastermind of the REvil group lives unmolested in Russia and leads a luxurious lifestyle. The man officially acts as a "trader of cryptocurrency," but investigators from the Federal Criminal Police Office (BKA) and LKA Baden-Württemberg believe that the person's fortune was obtained from ransoms paid by the REvil gang (and its predecessor GandGrab). 

According to research by BR and Die Zeit, investigators tracked down the suspected perpetrator by analyzing Bitcoin payments over the course of months. The background was a report from a software developer from Stuttgart in 2019, when the cyber criminals had obtained the access data of an employee. This enabled the REvil Group (and their predecessor GandGrab) to penetrate the systems of some customers. The Staatstheater Stuttgart was also among the victims and probably paid a ransom.

This led to the establishment of the "Krabbe" investigation group (based on GandGrab), which has now achieved investigative success. An international arrest warrant is said to be in the process of being applied for. However, it is unlikely that the person involved will be arrested and then extradited, and that the Russian state will confiscate the assets.

The German BR article says that reporters from BR and Zeit Online succeeded in following the traces left by the suspect on the net. For example, they found photos from his youth, still without expensive watches and designer clothes. In addition, there are clues on the Internet that suggest payments from ransomware cases. The Instagram account of the suspected has an e-mail address, which has been used to register more than 60 websites, some with authentic contact information, such as cell phone numbers. One of these mobile numbers is linked to a Telegram account that allegedly specializes in cryptocurrency trading. Payments worth almost 400,000 euros were transferred to a Bitcoin address listed there, as the media wrote. These payments probably originate from ransomware incidents, as explained by an expert who specializes in evaluating Bitcoin payments. Another assumes that K. got the money from someone working for various ransomware groups, possibly an affiliate. Among these groups is REvil. Both articles contains additional information, obtained from traces, the suspect has left with his wife in social media. 

Similar articles:
Revil Ransomware hackers release first Trump files
REvil Ransomware attack at 200 Companies via Kaseya VSA and Management Service Provider (MSP)
Coop-Sweden closes 800 stores after Kaseya VSA supply chain attack by REvil gang
Kaseya hack affects 1,500 companies worldwide
REvil Ransomware Group server and infrastructure is shut down
Bitdefender provides universal REvil decryptor
REvil Ransomware Group server and infrastructure is shut down
REvil cyber gang suspends activities after hijacking Tor sites

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *