Law enforcement agencies have announced the arrest of seven individuals linked to REvil ransomware which caused a series of high profile ransomware incidents earlier this year.
Europol and the US Department of Justice recently announced the success of ‘Operation GoldDust’ which included a joint-effort from 17 countries – with arrests spanning Romania, Poland, South Korea and Kuwait.
The group are accused of 7,000 individual ransomware attacks, and links to attacks which breached organisations using Kaseya remote-manageement software back in July – a supply chain attack described by security specialists SentinelOne as a ‘well orchestrated’ and ‘mass-scale’ ransomware campaign.
REvil was also used in the devastating attack on the Colonial Pipeline which caused fuel shortages across the US East Coast, and at the world’s largest meat supplier JBS Foods earlier in 2021. Authorities are believe to have recovered around $6.1m in ransom payments so far.
Europol thanked all the countries involved for a concerted effort, Eurojust and Interpol, and also praised the contribution of a number of private cybersecurity firms who assisted Operation GoldDust with technical support.
A previous investigation by Romanian police suggested the REvil group were an offshoot of those responsible for GandCrab ransomware released in 2018, and resulted in the release of three universal decryption tools by UK and US authorities which are believed to have prevented a further €60m of ransom payments from being extorted.
After originally claiming to be disbanding in September, it was revealed REvil’s infrastructure was itself hacked by a joint team from the FBI, US Cyber Command and the Secret Service – and forced offline. Key members of the group’s leadership, believed to be Russian, were thought to be on the run.
The issue of Russian reluctance to tackle cyber-crime syndicates also spilled over into warnings of US retaliation during in-person talks between US President Joe Biden and Russian President Vladimir Putin in June.