Five affilitates of Sodinokibi/REvil ransomware group arrested

Sicherheit (Pexels, allgemeine Nutzung)[German]The air is getting thinner for supporters and affiliates of various ransomware gangs. Pressure from law enforcement is increasing. Europol has uncovered and arrested five people who were actively involved in extortion as affiliates for the Sodinokibi/REvil ransomware group. Those involved were based in Romania and Kuwait and thought they were safe because, after all, everything was done via the Internet and cryptocurrency.


The action took place as early as Nov. 4, 2021, according to Europol, when Romanian authorities arrested two people suspected of carrying out cyberattacks using the Sodinokibi/REvil ransomware. Those arrested are accused of being responsible for 5,000 infections with the Sodinokibi/REvil ransomware. A total of half a million euros in ransomware was captured in the cyber attacks.

Since February 2021, law enforcement authorities have arrested three more members of Sodinokibi/REvil and two suspects in connection with the activities of the GandCrab ransomware gang. Catalin Cimpanu, in the following tweet, provides a listing of seven people arrested from the global cyber gang REvil/GandCrab. On The Records he says that in the following arrests were made:

  • February, April, October – Arrest of three REvil and GandCrab members in South Korea.
  • October – arrest of one REvil member in Poland (charged with REvil attacks on Kaseya)
  • November 4 – arrest of two REvil members in Constanta, Romania
  • November 4 – Arrest of a GandCrab member in Kuwait.

These are some of the results of Operation GoldDust, which involved law enforcement officers from 17 countries, Europol, Eurojust and INTERPOL. All of these arrests follow joint international law enforcement efforts to identify, intercept, and seize some of the infrastructure used by the Sodinokibi/REvil ransomware family, which is considered a successor to GandCrab.

Anti-REvil team in Europe set up

It looks like the ransomware gangs have overplayed their hand. Since 2019, several major international companies have faced severe cyberattacks involving the Sodinokibi/REvil ransomware. That was the suffering pressure to act. France, Germany, Romania, Europol and Eurojust stepped up action against this ransomware and established a joint investigation team in May 2021.


Bitdefender, in collaboration with law enforcement, made a tool available on the No More Ransom website to help Sodinokibi/REvil victims recover their files and recover from attacks carried out before July 2021.

In early October, a Sodinokibi/REvil member was arrested at the Polish border after the U.S. issued an international arrest warrant. The Ukrainian national is suspected of perpetrating the Kaseya attack, which affected up to 1,500 downstream companies and for which Sodinokibi/REvil demanded a ransom of around EUR 70 million.

In addition, in February, April, and October 2021, authorities in South Korea arrested three companies involved in the GandCrab and Sodinokibi/REvil ransomware families, which had more than 1,500 victims.

On Nov. 4, Kuwaiti authorities arrested another GandGrab offshoot, bringing the total number of suspects arrested in connection with the two ransomware families to seven since February 2021. They are suspected of attacking a total of about 7,000 victims.

GoldDust: Connections to GandCrab

Since 2018, Europol has been supporting Romanian-led investigations and inquiries targeting the GandCrab ransomware family. Law enforcement agencies from a number of countries are involved in the investigation, including the United Kingdom and the United States.

With more than one million victims worldwide, GandCrab has been one of the most prolific ransomware families in the world. The combined efforts of law enforcement agencies led to the release of three decryption tools as part of the No More Ransom project, resulting in the recovery of more than 49,000 systems to date and the non-payment of more than €60 million in demanded ransom.

The investigation/investigation also dealt with GandCrab's partners. It is suspected that some of those involved later worked with Sodinokibi/REvil. Law enforcement's Operation GoldDust was also built on leads from this area.

Decryptors help

Europol writes that support from the cybersecurity sector has proven critical to minimizing the damage from ransomware attacks. Many partners in the security community have already provided decryption tools for a number of ransomware families through the No More Ransom website.

Bitdefender supported this investigation by providing key technical insights throughout the investigation, as well as decryption tools for these two very common ransomware families to help victims recover their files. KPN and McAfee Enterprises are other private sector partners that also supported this investigation by providing technical expertise to law enforcement.

Currently, No More Ransom has decryption tools for GandCrab (V1, V4 and V5 through V5.2) and for Sodinokibi/REvil. The Sodinokibi/REvil decryption tools helped more than 1400 companies decrypt their network-encrypted files and saved them nearly €475 million in potential losses. The tools provided for both ransomware families enabled more than 50,000 decryptions, for which the cybercriminals had demanded around EUR 520 million in ransom.

US authorities also strike

Law enforcement officials in the US have also struck, seizing $6 million from the REvil ransomware gang, as the following tweet announces.

 REvil Ransomware-Gang Beschlagnahme

In addition to the seizure, a number of other actions took place against suspected REvil ransomware attackers in Europe. Among them, there was an arrest and an indictment. And there are new sanctions against a cryptocurrency exchange service and companies that support the service.

Yaroslav Vasinksyi, a 22-year-old Ukrainian citizen, was arrested at the behest of U.S. authorities on Oct. 8 as he crossed the border into Poland. Vaskinskyi is accused of writing the code behind the REvil malware. This is also known as Sodinokibi is among the most dangerous ransomware strains. According to U.S. Attorney General Merrick Garland, the malware has been deployed on about 175,000 computers worldwide and has brought in at least $200 million in extortion money.

U.S. authorities also announced an indictment against Russian citizen Yevgeny Polyanin. In addition to charges of conspiracy to commit computer fraud, willful damage to a protected computer, and conspiracy to launder money, officials also seized $6.1 million from Polyanin. Polyanin conducted about 3,000 ransomware attacks against organizations, including law enforcement agencies and municipalities, and extorted about $13 million from its victims. Details can be read here.

Similar articles:
Europol targeted 12 suspicious ransomware operators
2 ransomware operators arrested in Ukraine by law enforcements and Europol
Ironside: Police trick criminals with ANOM Crypto-Devices and Messenger app
Egregor ransomware gang members arrested
Details of Emotet uninstallation by law enforcement officials
Suspected leading member of REvil gang identified in Russia
REvil cyber gang suspends activities after hijacking Tor sites
REvil Ransomware Group server and infrastructure is shut down
Bitdefender provides universal REvil decryptor
Coop-Sweden closes 800 stores after Kaseya VSA supply chain attack by REvil gang

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *