While some have linked REvil to the arrest of two members of a ransomware ring in Ukraine, no clear details have been released by policemen from several nations. Europol, the EU’s law enforcement agency, announced this morning that Ukrainian police had arrested “two serial ransomware operators known for their extortionate demands,” claiming to be worth up to €70 million. This sparked a flurry of speculation.
According to the National Police of Ukraine, one of the two suspects seized on September 28 was a “hacker.” The other is accused of “assisting in the withdrawal of money obtained through illicit means.” Cryptocurrency worth $1.3 million was claimed to have been frozen.
Including aid from Europol and Interpol, a multinational police operation with information from France’s National Gendarmerie and the US Federal Bureau of Investigation led Ukraine officers to their targets.
The 25-year-old suspect is accused of using “virus software” to compromise remote-working software, with one attack vector being “malicious content spam-mailings to business e-mail boxes.”
The Ukrainian police, as is their custom, released a video of themselves searching through the accused perpetrator’s stuff, which included Apple computers, a gaming PC, and enormous quantities of $100 banknotes, valued at $375,000 in total.
“In total, the hacker attacked over 100 foreign enterprises in North America and Europe,” Ukrainian police stated, accusing the 25-year-old detainee of causing $150 million in harm to Western organizations.
Europol’s press office did not respond to phone inquiries. We’ve sent an email to the Ukrainian police, and we’ll update this story if they react. In the summer, Ukrainian police detained a half-dozen people they suspected of being members of the Clop ransomware ring.
On Twitter, several individuals assumed that the recent Ukrainian arrests were REvil ransomware gang members. This was exclusively predicated on Europol’s claim that the two key suspects had previously issued an “extortionate” €70 million ransom demand, which cops in Ukraine had not repeated.
REvil once demanded $70 million (€60.1 million) in ransom from managed service company Kaseya, however, this is not the same amount. In July, the REvil gang took down their Tor-hosted websites, sparking rumors that the Russian-speaking criminal organization had finally met its match. On the other hand, in September, cyber intelligence firm Flashpoint said it discovered remarks on forums frequented by ransomware offenders claiming that REvil’s rentable software was ripping them off through a covert backdoor.
McAfee also released its October threat report today, stating: “The ransomware Ryuk, REvil, Babuk, and Cuba actively launched business models that encouraged others to participate in exploiting common entry vectors and comparable tools. These, and other groups and their affiliates, make use of similar entrance vectors, and the instruments they employ to move around are often the same.”
It’s a familiar theme: ransomware gangs usually break-in by exploiting known weaknesses or sending well-crafted phishing emails, and if the Ukrainians are to be believed, it was one of the techniques their suspect employed. It’s normally the front door, with the back door being the exception.
If you find this article informative then do share it with your friends and family!