



Law enforcement agencies around the world have made a spate of arrests over the past five days which together constitute one of the largest crackdowns on suspected hackers to date.

The United States indicted on Monday a Russian national and a Ukrainian national arrested in Poland for working for REvil, a ransomware gang that has been operating with near impunity since at least 2019. And Romania, South Korea and Kuwait have arrested people believed to be affiliated with REvil since Thursday.

Some of REvils’ most prominent hacks include those of JBS, a major US meat supplier; Quanta, a Taiwanese manufacturer that supplies Apple computers; and Kaseya, a software company. The Kaseya hack gave REvil access to hundreds of businesses.

The United States and the European Union announced seven arrests on Monday, each accused of deploying malware for REvil.

The United States is trying to put at least one of the suspects in an American jail. The Treasury Department alleged on Monday that the man, Yaroslav Vasinskyi, a Ukrainian national arrested in Poland last month and wanted by the United States, deployed the REvil ransomware and said he had sanctioned him. He also indicted and sanctioned a Russian national, Yevgeniy Polyanin, who allegedly deployed REvil against US companies.

The Treasury Department also announced sanctions against a cryptocurrency exchange, Chatex, which allegedly helped hackers launder their victims’ bitcoin payments into cash. Chatex, which did not immediately respond to a Telegram message requesting comment, was down on Monday.

The United States also recovered $ 6.1 million in funds extorted from REvil, Attorney General Merrick Garland said at a press conference on Monday. The group has received more than $ 200 million in total in its operations, he said.

President Joe Biden welcomed the charges and sanctions in a statement Monday afternoon.

“We are bringing all the strength of the federal government to disrupt malicious cyber activity,” Biden said.

“While much work remains to be done, we have taken important steps to strengthen our critical infrastructure against cyber attacks, hold accountable those who threaten our security, and work with our allies and partners around the world to disrupt networks. ransomware, ”he said.

Romanian authorities on Thursday arrested two other people suspected of being affiliated with REvil, Europol announced on Monday. In addition, Kuwaiti authorities on Thursday arrested another person accused of being a hacker linked to REvil. And South Korea has quietly arrested people believed to be REvil hackers based there: one in February, April, and October.

South Korea has had far more REvil infections than any other country, said Brett Callow, ransomware analyst at cybersecurity firm Emsisoft, primarily because hackers deployed the ransomware software against thousands of individual households.

While far from the only ransomware group that routinely terrorizes victims around the world, REvil had already found itself in the crosshairs of the United States. Members complained last month that some of their systems had been hijacked, unaware they were under attack by US Cyber ​​Command, the headquarters of the country’s most effective offensive hacking operations, the Washington Post reported.

The coordinated international arrests were announced less than a month after the Biden administration hosted an international Zoom consortium, the first of its kind, on the fight against ransomware. Poland, Romania, South Korea and Ukraine were all present. Russia, widely regarded as the world’s greatest haven for hackers, was not invited.

Alexandru Cosoi, senior director of the investigative and forensic unit at cybersecurity firm Bitdefender, which assisted law enforcement in the investigation, said the arrests were the culmination of years of work on the follow-up of REvil.

We studied the criminals, we studied the affiliates, we studied the infrastructure, and whenever we had something to provide to law enforcement, we provided it to the whole investigation group. said Cosoi.

In particular, no Russian national has been arrested. The United States has a frosty relationship with Russia, which it has struggled to persuade to prosecute cybercriminals who attack foreign entities from within its borders.

The administrators, developers, people who turned the virus into backend platforms, payment platforms, infrastructure are believed to be Russian speaking. They host in Russian. Their communications are in Russian, Cosoi said.

The extent of arrests is still only a fraction of the threat posed by ransomware, said Joe Slowik, senior director of threat intelligence at computer networking company Gigimon.

We’ll likely see disruption and friction in the short term, with some lower level entities potentially leaving the game, without having a significant effect on long-term trends in ransomware activity, Slowik said.

Essentially, the work always pays well enough and the consequences can always be avoided in a sufficient number of places for operators to continue their work, he said.

