‘GoldDust’ operation shuts down REvil
Posted by: GuidePoint Security
Published 11/17/21, 9:00am
The REvil ransomware operation (also known as GandCrab and Sodinokibi), whose spokesperson at one time notoriously claimed that they weren’t afraid to be labeled a terrorist organization, appears to have finally been shut down, hopefully for good.
A globally coordinated effort dubbed GoldDust, underway since February 2021 and involving law enforcement from 17 countries, including the United States Department of Justice (DOJ) and Europol, has succeeded in arresting five individuals, indicting an additional two hackers, seizing $6 million in stolen ransomware funds, and placing sanctions against a cryptocurrency exchange server. The DOJ is also currently offering a $10 million reward for information that can lead to the identification or location of other REvil ransomware criminals. In addition, DOJ is offering up to $5 million for “information leading to the arrest and/or conviction in any country of any individual conspiring to participate in or attempting to participate in a Sodinokibi variant ransomware incident.”
The REvil ransomware criminals are best known for their attacks on JBS Meats and Kaseya and for overseeing one of the most successful global ransomware-as-a-service (RaaS) operations. Industry researchers estimate that REvil has hit at least 140 organizations since April 2019. Approximately 60% of the victim organizations were located in the United States, followed by victims in the United Kingdom, Australia, and Canada. REvil profits over the last year are estimated to be between $80 million and $100 million.
Last week, the U.S. DOJ announced indictments against two REvil hackers, one from Ukraine and the other from Russia. The Ukrainian hacker, Yaroslav Vasinsky, was arrested in Poland and US officials are seeking his extradition. The Russian hacker, Yevgeniy Polyanin, has yet to be apprehended, however, DOJ officials have seized $6.1 million in funds stolen by Polyanin during his ransomware activities.
On the same day as the DOJ indictments, Europol announced that five other REvil suspects had been arrested since February 2021, having been captured in Romania, South Korea, and Kuwait.
Industry researchers remind businesses that the primary REvil/Sodinokibi operators continue to manage ransomware activities from within the safety of Russia and likely with the support of the Russian government. All REvil arrests and indictments to date are for affiliates operating under the REvil RaaS service, and not the actual REvil masterminds.
It is believed that the owners and developers of the REvil ransomware earn between 20% to 30% of any RaaS ransomware proceeds, with the remaining money being paid to the affiliates who gain access to corporate networks and deploy the REvil malware.
Incident response organizations that have worked with victims of REvil report that often the victims who have paid the ransom find themselves re-extorted a few weeks later using the same information stolen initially. In addition, REvil affiliate operators routinely fail to keep their promise and will still publish victim data or present false evidence of data deletion.
Next Steps
Organizations can protect themselves from ransomware by instituting multifactor authentication procedures, as well as monitoring privileged account activity for unusual behavior. Additional recommendations include maintaining data back-ups in a location unconnected to the main enterprise systems, training employees to detect phishing attempts, and applying least privilege and zero trust principles. Both the FBI and cybersecurity professionals strongly advise against paying a ransom should a business find themselves the victim of a ransomware attack. As described above, ransomware operators cannot be trusted, and ransom payments do not guarantee file or data recovery or data privacy. Victims are also highly encouraged to report ransom attacks and work with local law enforcement and ransomware incident response teams to investigate and mitigate the attack.
GuidePoint Security