The National Police of Ukraine have arrested two men in an apparent major blow to a prolific ransomware gang that extorted over 100 victims in a campaign of cyber attacks that netted as much as $150m (£110m/€129m).
The action was assisted by the French Gendarmerie International, the US FBI, Europol’s European Cybercrime Centre (EC3) and Interpol’s Cyber Fusion Centre.
In a coordinated sting, which took place on Tuesday 28 September, law enforcement officers searched seven properties in the Ukrainian capital Kiev.
They also seized computing equipment, $375,000 in cash and two luxury vehicles worth €217,000. Additionally, $1.3m worth of cryptocurrency assets have been frozen.
The two men are accused of roles in a string of targeted attacks against large industrial groups, energy companies and others in Europe and North America, beginning in April 2020. The ransomware was spread through exploits in remote desktop access products and phishing campaigns, Ukrainian police revealed.
The attackers demanded ransoms of between €5m and €70m and operated a now-standard double extortion model, whereby they not only encrypted files and demanded payment for a decryptor, but threatened to leak the data on the dark web if payment was not made, causing their victims further reputational damage and putting them at increased risk of regulatory action.
Under Ukrainian law, the men face criminal cases for unauthorised interference in the work of computers, automated systems and computer or telecoms networks, and laundering of property obtained by criminal means. If successfully prosecuted, they could face 12 years in prison.
The authorities have not yet disclosed which strain of ransomware was used in the attacks as the investigation remains ongoing.
However, the scale of the group’s ransom demands, as revealed by Europol, has prompted community speculation of a link to REvil, which attempted to extort Kaseya for $70m earlier in 2021.
The REvil gang, which recently resurfaced after a brief hiatus, is certainly one of the more prolific ransomware crews currently operating, with a wealth of high-profile attacks under its belt.
According to McAfee’s most recent advanced threat report, REvil was the most detected ransomware in the wild during the second quarter of 2021, accounting for 73% of the security software supplier’s top 10 ransomware detections.