REvil Affiliates Arrested; DOJ Seizes $6.1M in Ransom

The U.S. is seeking the extradition of a Ukrainian man, Yaroslav Vasinskyi, whom they suspect is behind the Kaseya supply-chain attacks and other REvil attacks.

International law enforcement is squeezing REvil affiliates out of hiding, but the underground is shrugging it off: They know that Russia won’t touch a hair on the heads of the Russian-speaking ransomware operators, experts say.

On Monday, Europol announced the arrest of a total of seven suspected REvil/GandCrab ransomware affiliates – one of which is a Ukrainian charged by the United States with ransomware assaults that include the Kaseya attacks attributed to REvil.

To put the news into perspective, affiliates are a dime a dozen: They’re the cybercriminals that rent out ransomware in the ransomware-as-a-service (RaaS) economy, not the masterminds who hide away in sympathetic countries like Russia.

Infosec Insiders Newsletter

Late last month, Germany identified an alleged core REvil operator, but all that German authorities can do is clutch their arrest warrant and wait for the Russian billionaire to leave the safety of the motherland, researchers told Threatpost. Don’t hold your breath, experts say: The crooks know which countries have extradition agreements and which don’t.

DoJ Seizes $6.1M in Ransom Profits

On Monday, U.S. Department of Justice (DoJ) unsealed an indictment charging Yaroslav Vasinskyi, 22, a Ukrainian national, with conducting ransomware attacks against multiple victims, including involvement in the Kaseya initiative. The DoJ also revealed that it’s seized $6.1 million worth of ransom payments.

The DoJ said that the money was traced back to alleged ransom payments received by Yevgeniy Polyanin, 28, a Russian national, who’s also been charged with REvil ransomware attacks against multiple victims, including businesses and government entities in Texas on or about Aug. 16, 2019.

A recap of the sprawling Kaseya supply-chain attack: On July 2, the REvil gang wrenched open three zero-days in Kaseya’s Virtual System/Server Administrator (VSA) platform in more than 5,000 attacks.

As of July 5, the worldwide assault had been unleashed in 22 countries, reaching not only Kaseya’s managed service provider (MSP) customer base but also, given that many of them use VSA to manage the networks of other businesses, clawing at those MSPs’ own customers.

According to Europol’s announcement, 1,500 downstream businesses were affected as REvil demanded a ransom of about €70 million (USD $81.1 million).

The announcement quoted Acting U.S. Attorney Chad E. Meacham for the Northern District of Texas: “Ransomware can cripple a business in a matter of minutes. These two defendants deployed some of the internet’s most virulent code, authored by REvil, to hijack victim computers. In a matter of months, the Justice Department identified the perpetrators, effected an arrest and seized a significant sum of money. The Department will delve into the darkest corners of the internet and the furthest reaches of the globe to track down cybercriminals.”

Romanian Arrests

Meanwhile, Romanian authorities arrested two suspected REvil (aka Sodinokibi) operators whom they suspect are behind 5,000 infections, and who’ve allegedly pocketed half a million euros in ransom payments.

In Monday’s announcement, Europol said that this brings the tally of REvil/GandCrab arrests to five since February 2021: Three other REvil affiliates have been arrested, plus two suspects allegedly linked to REvil’s earlier iteration, GandCrab.

Here’s the REvilers that have been collared:

Early October: Vasinskyi, the alleged REvil affiliate and Ukrainian suspected of being behind the Kaseya attack, was arrested at the Polish border after an international arrest warrant was issued by the U.S. U.S. authorities are seeking his extradition.

February, April & October: South Korean authorities arrested three individuals suspected of being GandCrab/REvil affiliates, allegedly having victimized more than 1,500 targets.

Nov. 4: Kuwaiti authorities arrested another alleged GandGrab affiliate.

The seven suspected affiliates are suspected of attacking about 7,000 victims in total, according to Europol.

Operation GoldDust

The busts are a result of Operation GoldDust: An effort that entailed identifying, wiretapping and seizing some of REvil’s infrastructure. The infrastructure grab is the likely explanation for the July 13 disappearance of REvil’s sites, one expert told Threatpost.

At the time, the REvil operators said that the infrastructure went down and that operations were ceasing for the time being but that they’d be back. Some in the cybercriminal underground thought that REvil may have taken its servers down on purpose, while others speculated that the main REvil spokesperson – “Unknown” – had either disappeared or died.

But according to Jon DiMaggio, REvil ransomware threat group researcher and chief security strategist at Analyst1, it’s now “highly likely” that law enforcement was behind the July 13 shutdown.

‘”[That’s] opposed to the recent [REvil server takedowns in October], where [REvil operators] realized that keys were copied, and they were being set up and they took servers down,” DiMaggio noted in a conversation with Threatpost on Monday.

In September, REvil operators restored operations from a backup that, it turns out, was under government control. REvil operators – including a top leader called 0_neday – restored the group’s websites from a backup without realizing that law enforcement were controlling some of the gang’s internal systems.

GoldDust involved 17 countries, Europol, Eurojust and INTERPOL. Besides leading to REvil’s infrastructure being grabbed, it also led to the release of three decryption tools through the No More Ransom project. That project has saved more than 49,000 systems and more than $69.5 million (€60 million) in unpaid ransom so far, according to Europol.

GoldDust’s Crabby Roots

The roots of GoldDust date back to 2018, when Europol backed a multi-country investigation – spearheaded by Romania – into the GandCrab ransomware family.

In 2019, GandCrab’s operators supposedly threw in the towel after claiming that they’d raked in nearly $2 billion in a little over a year. That included earnings from a thriving RaaS business as well as $150 million for the operators themselves, who said that they were averaging $2.5 million per week.

But they didn’t all just kick back and relax. Rather, some GandCrab affiliates are believed to have moved into the REvil operation. In September 2019, researchers from Secureworks Counter Threat Unit (CTU) inspected malware that had recently hit 22 Texas municipalities and various dentist offices around the country and found that the string decoding functions employed by REvil and GandCrab were nearly identical. In fact, REvil activity spiked after the GandCrab retirement notice.

As Europol tells it, GandCrab was one of the world’s most prolific ransomware families, with upwards of 1 million victims worldwide. Its offshoot, REvil, has done its part to keep up the family name: Besides Kaseya, it was also behind an attack on the global meat supplier JBS Foods.

REvil has also been tied to the Colonial Pipeline attack, according to Reuters, which broke the news about law enforcement boobytrapping the gang’s backups to keep track of all of its operations. The culprit for the Colonial attack had previously been presumed to be a ransomware group named DarkSide.

Bitdefender Releases Results of Universal REvil Decryptor

On top of the news from the DoJ and Europol, Monday was a jubilant REvil pigpile as Bitdefender released results of its universal REvil decryptor, announcing that so far, it’s saved companies more than $550 million in ransom fees.

In September, Bitdefender had released the free, universal decryptor key to unlock data of victimized organizations that were encrypted by REvil/Sodinokibi ransomware attacks before the gang’s servers went belly-up on July 13.

The September decryptor was the real deal, not the letdown of the previous month, when Kaseya got its hands on a master key. At that time, it was first thought that the key could unlock all of the REvil attacks that occurred at the same time as the Kaseya hits. Unfortunately, it soon became clear to researchers that the decryptor was only for the files locked in the Kaseya attack.

Alexandru Catalin Cosoi, senior director of Bitdefender’s investigation and forensics unit, told Threastpost on Monday that the number of tech-support requests received after the release of the decryptor is “insignificant.”

Bitdefender hasn’t seen much change in the code of the ransomware variants captured after July 13, except for the removal of a hardcoded skeleton key that allegedly belonged to “Unknown” – the admin who vanished around that time. The company has seen several tracked variants, including some with debugging symbols left in the compiled binaries, Cosoi said. All of the variants “were packed by affiliates in different manners to facilitate anti-malware solution evasion,” he said.

Bitdefender has also been tracking a variant developed for Linux workstations, although, unlike the Windows counterpart, it “was rarely obfuscated or packed, given that most target Linux servers rarely ran dedicated security solutions,” he said in an email.

At any rate, the company perpetually updates its decryptors to solve for the most recent attacks. “Our mission is to help as many victims as possible and bring them back in business in the shortest time possible,” he said, and that includes a new decryptor to handle whatever REvil flings at victims. “We won’t be able to offer a timeline for the release of a new REvil tool, but we’re working on it,” Cosoi said.

Arrests Are Just a ‘Speed Bump’

Analyst1’s DiMaggio is ambivalent about the arrests and charges brought against alleged REvil affiliates. It’s “a step in the right direction,” he told Threatpost, and “can only help deter this type of activity when law enforcement can identify cyberattackers, giving them names and faces that remove the anonymity the internet allows them to hide behind.”

Still, cybergangs like REvil aren’t exactly trembling in their boots. They “have little fear of the U.S. or law enforcement, and today’s arrests only substantiate that the core gang, who reside in Russia, are untouchable,” he said, reiterating that the individuals arrested are just affiliates, not the actual operators.

“The core gang is still free and can operate and continue their criminal activities because they are under the protection of Russia, who does not see them as criminals,” he said, calling Monday’s arrests “more of a speed bump than a road block.”

The Underground Shrugs

Chatter about the arrests on the criminal forums is less “let’s get out of here” than it is “ho hum, la de da,” DiMaggio said. “The chatter has definitely more of a mocking tone: ‘Oh, here’s another attempt to get us, these guys never learn,'” he said. “It’s a small amount of individuals getting arrested compared [with] how many guys are out there.

“In Russia, they literally have no fear of being arrested,” he added. “They make comments like, ‘protect the motherland, the motherland protects you.’ This is more evidence to support that. They put Russian flag icons on their messages. I’m not saying there’s no fear, but the heavy hitters, at least, on the forums, are either being quiet or posting about ‘hey, here’s more news, it’s another day, what’s next.'”

He continued, “There’s no fear. No feeling that ‘it’s closing in on us.'”

REvil’s Doing Just Fine Kneecapping Itself

What’s going to cripple REvil’s rebirth far more than the arrests of the gang’s alleged affiliates is how they’ve shot themselves in the foot by cheating their affiliates out of payments, DiMaggio said. In September, word got out that REvil operators doublecrossed the gang’s own affiliates out of ransom by using double chats and a backdoor to hijack the payments. A day later, those affiliates took to the top Russian-language hacking forum to renew their demands for REvil to fork over their pilfered share.

“I live on these forums,” DiMaggio said. “Nobody wants to work with these guys. Nobody trusts them.”

REvil could try to rebrand, but it wouldn’t do the gang much good, DiMaggio said. Security researchers can identify ransomware gangs within weeks after they rebrand, given that they always come back with code that’s only tweaked, not rewritten from the ground up, he said. If security researchers can do that, you can bet your bottom dollar that members of other ransomware gangs can too, he said.

“I don’t think we’re going to see REvil coming back and doing a whole lot,” DiMaggio predicted. “Not the actual core gang. They’ll probably have to go their separate ways. It’s not the last we’ve seen of them, but it’s the last of seeing them working together.”

Want to win back control of the flimsy passwords standing between your network and the next cyberattack? Join Darren James, head of internal IT at Specops, and Roger Grimes, data-driven defense evangelist at KnowBe4, to find out how during a free, LIVE Threatpost event, “Password Reset: Claiming Control of Credentials to Stop Attacks,” on Wed., Nov. 17 at 2 p.m. ET. Brought to you by Specops.

Register NOW for the LIVE event and submit questions ahead of time to Threatpost’s Becky Bracken at becky.bracken@threatpost.com.

Suggested articles