Europol announces the arrest of seven suspects related to the GandCrab/Sodinokibi/REvil ransomware that allegedly attacked more than 7000 companies and conducted extortion via the dark web

According to the official Europol website, on November 4, Romanian authorities arrested two cyber attackers suspected of deploying the Sodinokibi/REvil ransomware. They were allegedly responsible for 5,000 infections and extorted a total of €5 million in ransom money. Since February 2021, law enforcement authorities have arrested three other affiliates of Sodinokibi/REvil and two suspects linked to GandCrab. These are some of the results of Operation GoldDust, which was conducted by 17 countries, Europol, Eurojust and INTERPOL. All of these arrests follow joint international law enforcement efforts, including the identification, wiretapping and seizure of some of the infrastructure used by the Sodinokibi/REvil ransomware family, which is seen as the successor to GandCrab.

Anti-REvil teams formed in Europe

Since 2019, several large international companies have faced serious cyber attacks that deployed Sodinokibi/REvil ransomware. France, Germany, Romania, Europol and Eurojust set up a joint investigation team in May 2021 to step up action against the ransomware.Bitdefender, in cooperation with law enforcement, offers a tool on the No More Ransom website that can help victims of Sodinokibi/REvil recover their files as long as the attack was carried out before July 2021. In early October, a branch of Sodinokibi/REvil was arrested at the Polish border after an international arrest warrant was issued by the United States. The Ukrainian is suspected of having carried out the Kaseya attack, which affected up to 1,500 downstream companies and for which Sodinokibi/REvil demanded a ransom of about 70 million euros. In addition, in February, April and October 2021, South Korean authorities arrested three affiliates involved in the GandCrab and Sodinokibi/REvil ransomware families, involving more than 1,500 victims.On November 4, Kuwaiti authorities arrested another GandGrab affiliate, meaning that since February 2021, a total of seven individuals associated with these suspects linked to the two ransomware families have been arrested. In total, they are suspected of having attacked approximately 7,000 victims.

Golddust's connection to GandCrab

Since 2018, Europol has been supporting a Romanian-led investigation targeting the GandCrab ransomware family and involving law enforcement in several countries, including the U.K. and the U.S. GandCrab is one of the most prolific ransomware families in the world, with more than 1 million victims worldwide. These joint law enforcement efforts have resulted in the release of three decryption tools through the No More Ransom project that have saved more than 49,000 systems and averted more than €60 million in unpaid ransoms to date. The investigation also looked at GandCrab affiliates, some of which are believed to have turned to Sodinokibi/REvil. Operation GoldDust was also built on this previous investigative trail against GandCrab.

Decryption without ransom

The support of cybersecurity companies, and departments, has proven to be critical in minimizing the damage caused by ransomware attacks, which remain the biggest cybercrime threat. Many partners have already provided decryption tools for multiple ransomware families through the No More Ransom website. Enterprises were additional supporting partners who also supported this investigation by providing technical expertise to law enforcement.

Currently, No More Ransom has decryption tools for GandCrab (versions V1, V4 and V5 through V5.2) and Sodinokibi/REvil, which has helped more than 1,400 companies decrypt their networks, saving them nearly €475 million in potential losses. The tools provided for both ransomware families achieved more than 50,000 decryptions, for which cybercriminals demanded a ransom of about 520 million euros.

Europol's support

Europol facilitated the exchange of information, supported the coordination of the GoldDust operation, and provided operational as analysis support, as well as cryptocurrency, malware and forensic analysis. During the operational days, Europol deployed experts to each location and activated a virtual command post to coordinate activities on the ground. International cooperation allowed Europol to streamline victim mitigation efforts with other EU countries. These activities prevented private companies from becoming victims of the Sodinokibi/REvil ransomware.

Europol's Joint Cybercrime Action Task Force (J-CAT) supported this operation. This permanent group consists of cyber liaison officers from different countries who work in the same office to conduct high-profile cybercrime investigations.

*Participating Countries: Australia, Belgium, Canada, France, Germany, Netherlands, Luxembourg, Norway, Philippines, Poland, Romania, South Korea, Sweden, Switzerland, Kuwait, UK, USA

*Participating Organizations: Europol, Eurojust, and INTERPOL