REvil Perps: Arrests for Some, $10M Bounties on Others

Alleged REvil ransomware hackers have been arrested, with additional suspects charged. A coordinated international effort is tightening the noose around the gang and its many affiliates.

AG Merrick Garland (pictured) says the DoJ is “sparing no resource” to bring ransomware perps to justice. But it would probably be a bit easier if Russia would help by extraditing suspects.

So there’s also a bounty. In today’s SB Blogwatch, we wonder if the State Department’s latest tactic will bear fruit.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: News from New Zealand.

DoJ+FBI+State Get Serious

What’s the craic? Teri Robinson reports—“Gotcha! Charges in REvil Attack, Feds Seize $6M”:

Potential to devastate thousands of businesses
The long arm of the law just reached out and dragged Yaroslav Vasinskyi into the American criminal justice system, readying charges against the Ukrainian man for a REvil ransomware attack against a U.S. company, Kaseya, in July. Law enforcement also relieved … Russian national Yevgeniy Polyanin … of $6 million in ransom payments.

REvil went on a tear earlier this year, launching attack after damaging attack, and sending both the public and private sectors scrambling to harden defenses. The breadth of the Kaseya attack, which began on the Friday of the U.S. Independence Day weekend, raised the alarm for many. The international managed services company manages internet services for countless organizations and the attack had the potential to devastate thousands of businesses.

REvil has darted in and out of public view in the past several months, claiming to shut down as the feds closed in on them in September … only to reemerge in underground forums. … The group went to ground again in October, going dark after its payment portal and blog used to leak victims’ data were hijacked, perhaps by a former member who goes by “Unkn.”

And then the other shoe dropped. Joe Tidy doesn’t mince his words—“Day of reckoning for notorious cyber gang”:

Unequivocally great news
The co-ordinated action against the REvil gang was announced … by Romanian police, the … DOJ and Europol. The raids, which took place both on and offline, led to the arrests of two alleged hackers in Romania and one from Ukraine.

This multinational police operation is extremely impressive in its coordination and aggression and shows just what can be done to attack these cyber-criminals. … It feels like a turning point in the fight against ransomware.

Good news is rare in cyber-security, especially in the last 18 months when the surge in ransomware attacks has targeted everything from public institutions to schools and hospitals. But this is unequivocally great news.

How are we going to find the rest of the scrotes? Brian Krebs cycles in with analysis—“REvil Ransom Arrest, $6M Seizure, and $10M Reward”:

Let the games begin
The U.S. Department of State said it was offering a reward of up to $10 million for information leading to the identification or location of any individual holding a key leadership position in the REvil ransomware group. The department said it was also offering a reward of up to $5 million for information [about] any individual conspiring to participate in … a REvil ransomware incident.

I really like this bounty offer and I hope we see more just like it for other ransomware groups. Because … a lot of these guys simply aren’t too hard to find. … Exhibit #1: Yaroslav Vasinskyi, the 22-year-old Ukrainian national accused of being REvil Affiliate #22. … Exhibit #2: Yevgeniy Igorevich Polyanin, the 28-year-old Russian … alleged to be REvil Affiliate #23.

The apparent lack of any real operational security by either of the accused here is so common that it is hardly remarkable. … I have found that if a cybercriminal is active on multiple forums over more than 10 years, it is extremely likely that person has made multiple mistakes that make it relatively easy to connect his forum persona to his real-life identity.

[For example via] password re-use by cybercriminals (yes, crooks are lazy, too). [Also] cybercriminal forums, services, etc. get hacked just about as much as everyone else.

Let the games begin.

So the “world police” are arresting the REvil gang? Not so fast, says snapetom:

Ransomware as a Service
It should be pointed out these are affiliates, not actual members. [Hence] the bounty for actual REvil leadership members.

This is what makes Ransomware as a Service so dangerous: It’s basically franchising. The actual REvil gang gets to outsource the arrest risk to a third party and still gets paid billions.

But the alleged Russian hacker is still at large—as t.reagan explains:

Russia is unlikely to extradite its own citizen to the US, so Mr Polyanin is expected to join a growing list of wanted alleged Russian hackers.

What can we learn from this? Here’s what kvakvs learned today:

What I learned from this: If you piss off the USA, you can’t travel freely and brave your invulnerability. You should be sitting quiet in Russia—which won’t extradite you—and not flashing your stolen money. Because if you do, your local bandits will find you, and if you don’t, the USA will find you.

Wait. Pause. How did the feds get that six million back? phantomfive joins the dots:

The US secret service, in conjunction with other countries, hacked the hackers. They had the private key for the bitcoin account.

What else do we know about Vasinskyi and Polyanin? woko waxes wowed:

Wow!
These two people are respectively 22 and 28 years old. They have spent their time in cyber-crime environments since their teenage years. … A third of his life for the first one, and half of his life for the second one.

The first one had an account on a cybercrime forum 8 years ago, so he was 14! … The second one had an account 13 years ago, so he was 15. Wow!

Meanwhile, this Anonymous Coward won’t be celebrating until a few more shoes drop:

A win for the war on dru… ransomware. We’re safe now!

And Finally:

“Holy snappin’ turtle teeth!”

Hat tip: Mudface

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: U.S. DoJ

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 596 posts and counting.See all posts by richi