Law enforcement agencies in several countries have arrested a total of seven suspects who allegedly worked as affiliates of the REvil (Sodinokibi) and GandCrab Ransomware-as-a-Service (RaaS) operations, and helped to launch ransomware attacks against 7,000 victims.
Both REvil and GandCrab RaaS are believed to be operated by the same individuals.
The arrests have been carried out since February 2021 as part of a joint international law enforcement operation codenamed ‘GoldDust,’ which involved law enforcement agencies from 17 countries, Europol, Eurojust and INTERPOL.
Three affiliates of Sodinokibi/REvil and GandCrab were arrested in South Korea in February, April and October 2021, and a Sodinokibi/REvil affiliate was arrested in Poland in the beginning of October, Europol said in a press release.
The latest arrests were carried out at the beginning of November 2021 in Romania and Kuweit. Romanian police arrested two suspects who allegedly helped to carry out 5,000 REvil ransomware attacks, which in total pocketed half a million euros in ransom payments. On 4 November, Kuwaiti authorities arrested another GandGrab affiliate.
According to Europol, since 2019, the seven suspects launched attacks in which they collectively asked for more than €200 million in ransom demands.
The U.S. Department of Justice announced on Monday the seizure of approximately $6 million in ransom payments and charges against a Ukrainian national and Russian national allegedly behind REvil ransomware attacks.
Yaroslav Vasinskyi, 22, a Ukrainian national arrested in Poland in October, and Yevgeniy Polyanin 28, a Russian national who remains at large, face charges of conspiracy to commit fraud, damage to protected computers and money laundering. If convicted, each faces a maximum penalty of 115 and 145 years in prison, respectively.
Vasinskyi was charged in connection with his alleged role in carrying out the REvil ransomware attack against the U.S. software firm Kaseya in July, which in turn affected hundreds of companies across the globe.
“In the alleged attack against Kaseya, Vasinskyi caused the deployment of malicious Sodinokibi/REvil code throughout a Kaseya product that caused the Kaseya production functionality to deploy REvil ransomware to “endpoints” on Kaseya customer networks. After the remote access to Kaseya endpoints was established, the ransomware was executed on those computers, which resulted in the encryption of data on computers of organizations around the world that used Kaseya software,” the DoJ said.
In addition, the U.S. Department of State has offered a reward of up to $10 million for any information leading to the identification or location of key members of the REvil ransomware group.
"In addition, the Department is offering a reward offer of up to $5,000,000 for information leading to the arrest and/or conviction in any country of any individual conspiring to participate in or attempting to participate in a Sodinokibi variant ransomware incident,” the Department of State said.
Last week, the Department of State announced a $10 million reward for any information that may lead to the identification and/or arrest of members of the DarkSide ransomware gang.