SecureWorld News

Operation 'GoldDust' Uncovers REvil Ransomware Associates

Written by Drew Todd | Mon | Nov 8, 2021 | 10:12 PM Z

As large and looming a threat as ransomware has posed to organizations around the world in the last year, the tides may slowly be turning in the fight against malicious cyber actors. 

Last week, SecureWorld News reported that ransomware wins are finally adding up, and we are seeing real results in efforts from law enforcement authorities.

This week, Europol reported on the success of operation GoldDust, a joint international law enforcement effort involving 17 countries, which led to the arrests of multiple REvil affiliates.

Anti-REvil team busts threat actors

REvil, also known as Sodinokibi, is the notorious Russian ransomware gang that has claimed responsibility for multiple cyberattacks targeting major organizations in the last year. Most notably, they were the masterminds behind the Kaseya incident, which affected more than 1,500 downstream organizations.

To combat the threat of REvil, a Joint Investigation Team was created in May 2021, and the results of the team's efforts are adding up.

Europol says in the beginning of October, Polish authorities arrested a REvil associate at the border after an international arrest warrant was issued by the United States. This individual is a Ukrainian national and is suspected of perpetrating the Kaseya attack.

In February, April, and October of this year, South Korean authorities arrested three individuals involved in the GandCrab and REvil ransomware families. GandCrab is thought to be the predecessor to REvil.

And most recently on November 4th, Kuwaiti authorities arrested one GandCrab affiliate, while Romanian authorities arrested two individuals suspected of cyberattacks deploying the REvil ransomware.

In total, seven suspects linked to REvil or GandCrab have been arrested since February 2021. It is believed these seven attacked more than 7,000 victims, according to Europol.

Decryption tools for ransomware

Since 2018, REvil and GandCrab have been two of the world's most prolific ransomware families, with reports of over one million victims combined.

Though fighting back against ransomware has been a challenge for law enforcement, their efforts have resulted in three decryption tools through the No More Ransom project. Europol says the project has saved over 49,000 systems and approximately $70 million in unpaid ransom from GandCrab attacks so far.

Europol also says the success of these operations would not have been possible without collaboration from private companies:

"The support from the cybersecurity sector has proven crucial for minimising the damage from ransomware attacks, still the biggest cybercrime threat. Many partners have already provided decryption tools for a number of ransomware families via the No More Ransom website.

Currently, No More Ransom has decryption tools for GandCrab (V1, V4 and V5 up to V5.2 versions) and for Sodinokibi/REvil. The Sodinokibi/REvil decryption tools helped more than 1400 companies decrypt their networks, saving them almost €475 million in potential losses. The tools made available for both ransomware families enabled more than 50 000 decryptions, for which cybercriminals had asked about €520 million in ransom."

Resource

Check out the SecureWorld Events page and register to attend an upcoming cybersecurity conference!