Romanian authorities have arrested two individuals suspected of cyber-attacks using the Sodinokibi/REvil ransomware. They are allegedly responsible for 5,000 infections, accounting for €500,000 in ransom payments, according to European law enforcement agency Europol.
REvil has been one of the most notorious ransomware groups of 2021, responsible for hundreds of high-profile attacks around the world.
A further suspected GandGrab affiliate was arrested by Kuwaiti authorities on the same day.
In addition to these arrests, Operation GoldDust saw three additional arrests in February, April and 2021 by authorities in South Korea against affiliates involved with REvil ransomware. Another affiliate was arrested in Europe in October. In total, the operation has resulted in seven arrests and it’s the first time they’ve been disclosed publicly by law enforcement.
SEE: A winning strategy for cybersecurity (ZDNet special report)
The operation involved police from countries around the world and international law enforcement agencies Europol, Eurojust and Interpol. The arrests follow a joint operation which was able to identify intercept communications and seize infrastructure used during campaigns.
Operation GoldDust also received support from the cybersecurity industry from companies including Bitdefender, KPN and McAfee. Researchers at Bitdefender provided technical insights throughout the investigation, along with decryption tools to help victims of ransomware attacks recover their files without having to pay the ransom.
Decryption tools for several versions of GandCrab and REvil ransomware are available for free via the No More Ransom project. According to Europol, the REvil decryption tools have helped more than 1,400 companies decrypt their networks following ransomware attacks, saving over €475 million ($550 million) from being paid to cyber criminals.
Europol supported the operation by providing analytical support, as well analysis into malware and cryptocurrency. The 17 countries participating in Operation GoldDust are Australia, Belgium, Canada, France, Germany, the Netherlands, Luxembourg, Norway, Philippines, Poland, Romania, South Korea, Sweden, Switzerland, Kuwait, the United Kingdom and the United States.
“These arrests illustrate what can be achieved when the public and private sectors pool their resources to fight cybercrime. This operation was an around-the-clock global effort to hunt down those responsible for the most devastating ransomware attacks in recent history leaving no stone unturned,” Alexandru Catalin Cosoi, senior director of the investigation and forensics unit at Bitdefender which aided investigations told ZDNet.
“The success of this operation is a wake-up call for cybercriminals. They should understand if they are caught in the crosshairs of an international effort to find them, they can’t hide,” he added.
The arrests are the latest in a string of operations by law enforcement targeting ransomware operations. Last month saw a Europol-led operation target 12 suspects in Ukraine and Switzerland believed to be behind LockerGoga, MegaCortex, Dharma and other ransomware attacks. It was also recently reported that law enforcement from multiple countries helped take down key elements of REvil.
MORE ON CYBERSECURITY
- Ransomware: It’s a ‘golden era’ for cyber criminals – and it could get worse before it gets better
- Have we reached peak ransomware? How the internet’s biggest security problem has grown and what happens next
- Ransomware: Even when the hackers are in your network, it might not be too late
- Ransomware gangs are complaining that other crooks are stealing their ransoms
- These ransomware criminals lost millions of dollars in payments when researchers secretly found mistakes in their code