International law enforcement arrested REvil ransomware affiliates in Romania and Kuwait

Romanian police arrested two alleged Sodinokibi/REvil ransomware affiliates accused to have orchestrated attacks against thousands of victims.

Romanian law enforcement agencies have arrested two alleged Sodinokibi/REvil ransomware affiliates on November 4, that are accused of having conducted attacks against thousands of victims.

The arrests are the result of an international operation carried out in cooperation with law enforcement authorities in several countries (Australia, Belgium, Canada, France, Germany, the Netherlands, Luxembourg, Norway, the Philippines, Poland, Romania, South Korea, Sweden , Switzerland, Kuwait, United Kingdom, United States of America) with the support of Europol and Interpol.

DIICOT (the Romanian Directorate for Investigating Organized Crime and Terrorism) and judicial police officers performed four home searches in Constanța and seized electronic equipment (laptops, mobile phones) and storage media.

The prosecutors ordered the detention for a period of 24 hours of the 2 defendants, for illegal access to a computer system with the intent of disrupting the operation of compromised networks and conducting money laundering. Local authorities ordered the preventive detention of 30 days for the two affiliates.

“The investigations were carried out in order to document the criminal activity of the members, from the Romanian territory, who were part of the groups known in the online environment with the names GandCrab and REvil / Sodinokibi.” reads the announcement published by DIICOT.

The operation, codenamed GoldDust, also resulted in the arrest of a third individual in Kuwait that is suspected to be a GandGrab ransomware affiliate. According to the press release published by Europol, the three alleged affiliates are accused of having launched roughly 7000 attacks, asking for over €200 million in ransom.

“On 4 November, Romanian authorities arrested two individuals suspected of cyber-attacks deploying the Sodinokibi/REvil ransomware. They are allegedly responsible for 5 000 infections, which in total pocketed half a million euros in ransom payments. Since February 2021, law enforcement authorities have arrested three other affiliates of Sodinokibi/REvil and two suspects connected to GandCrab. These are some of the results of operation GoldDust, which involved 17 countries*, Europol, Eurojust and INTERPOL.” reads the press release published by the Europol.

The authorities have also arrested three other individuals suspected to be REvil affiliates in South Korea in February, April, and October.

“Since 2018, Europol has supported a Romanian-led investigation which targets the GandCrab ransomware family and involved law enforcement authorities from a number of countries, including the United Kingdom and the United States,” continues the Europol. “All these arrests follow the joint international law enforcement efforts of identification, wiretapping and seizure of some of the infrastructure used by Sodinokibi/REvil ransomware family, which is seen as the successor of GandCrab.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, REvil ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]