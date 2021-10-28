German investigators have managed to identify an individual suspected of being an operator of the cybercrime group behind the REvil ransomware, German media revealed Thursday (October 28th) Die zeit and BR24.

For several years, ransomware attacks, one of the most lucrative sectors of cybercrime, have wreaked havoc at the heart of the world’s largest companies, going so far as to disrupt hospitals, town halls, and even food and oil infrastructures. However, despite a sharp increase in the number of active gangs, the authorities have never been able to publicly name one of the leading figures in this organized crime by name.

Nikolay K. (name has been changed), a Russian national, is suspected of being involved at a high level in the operations of REvil, so German federal investigators believe he is not simply an affiliate, a pirate working in partnership with several ransomware groups, but an operator of this gang, that is to say one of the thinkers directly involved in the development or management and marketing of this malicious software. A cryptocurrency wallet that could be linked to the suspect has received, according to technical analysis by a third-party company for Die zeit and BR24, payments from multiple addresses associated with ransomware-type activity.

See also our file: Ransomware attacks: the surge

A very active group

Also known as Sodinokobi, REvil is a particularly virulent group that appeared in 2019. In June of this year, an actor identified as “Unknown” or “UNKN” began posting to a well-known Russian-speaking forum in middle, explaining that a new operation was being set up and was seeking to recruit affiliates to carry out attacks of ransomware. From this period, the modus operandi de REvil is very classic: the mother ship, which develops and maintains the malware, leases it to affiliates, specialized in intrusion, who carry out the attacks themselves and share the ransom with the operator of the virus. The loot division has varied over time, with REvil initially offering its affiliates to receive 60% to 70% of the amount of ransom harvested in an attack.

Read also Article reserved for our subscribers How hackers crippled hundreds of businesses around the world in hours

Very quickly, REvil took to another now commonplace practice: the threat of publication of confidential data (a practice called “double extortion”). When an affiliate carries out an attack and manages to cripple a business, they exfiltrate data, which is then dribbled into a website, in an effort to put pressure on victims to pay the ransom. The famous Happy Blog, the site used for these purposes by REvil and accessible only by the TOR protocol, until recently had several dozen victims around the world.

Since its birth, REvil-Sodinokibi has carried out several large-scale attacks: among its known victims, we find in particular Quanta Computer, an important subcontractor of Apple, but also a division of the electronics giant Acer, or JBS , a very large American meat slaughtering and processing company. In the latter case, the company paid a ransom of $ 11 million (€ 9.5 million) to the criminals. The group and its affiliates also carried out a high profile attack during the summer, targeting the Kaseya company, which provides IT services around the world. The hackers thus managed to infect several hundred companies in a few hours.





In recent weeks, the noose has tightened on REvil. At the end of October, the US federal authorities, with technical support from an unidentified allied country, decommissioned the Happy Blog and the technical infrastructure used by the criminal group, as the news agency revealed. Reuters. Previously, the FBI had also managed to break into REvil servers and recover decryption keys, the tools used to recover victims’ files, encrypted by attackers during a ransomware attack.

Read also Article reserved for our subscribers Cybercrime panic after the Colonial Pipeline hack

A trip to Turkey

According to Die zeit and BR24, an arrest warrant for Nikolay K. has been prepared by the German authorities, who are waiting for him to leave Russian territory. If he traveled to Turkey this summer for a vacation on a yacht, with his wife and friends, when his wife moved to that country again in the fall, it was, this time- here, without her husband, according to photos posted on Instagram.

Investigations are being opened against REvil in many countries. The FBI in the United States, but also Germany, seek to trace the operators of this ransomware. In France, the investigation was entrusted by the brigade for the fight against cybercrime (BL2C), within the Paris police headquarters.

Read also The boss of one of the main Russian cybersecurity companies arrested for “high treason”

Like most of the criminal groups behind the ransomware operations, REvil was strongly suspected of operating from Russia. The software code was especially designed not to infect computers located in countries of the former Soviet Union, a very classic pattern, while the Russian authorities are accused by several Western governments of turning a blind eye to the strong cybercrime having courses on its territory.

REvil holds a very symbolic and special place in cybercrime. This very virulent group is strongly suspected of being an offshoot of GandCrab, a cybercriminal gang which gained some notoriety from 2018. At that time, ransomware operators were not always targeting very large companies, looking for multi-million dollar shots. This crime was aimed broadly, even affecting many individuals or SMEs. GandCrab, he revolutionized this criminal sector by imposing a new economic model: “ransomware on demand”, also called ransomware as a service, the virus developers selling their software to other cybercriminals for use in attacks, then demanding a share of the loot in return.

Read also Article reserved for our subscribers Cybercrime: the search for the “loophole”

While GandCrab was not the first group to attempt this strategy, it was the first to popularize it, and its ransomware soon became one of the most prevalent. The actor speaking as Unknown has publicly explained that the operators of REvil were former GandCrab affiliates who bought out the malware code when the group retired in 2019. All analysts agree, in Indeed, similarities between the code of GandCrab and that of the ransomware propagated by REvil. It is not known whether Nikolay K. is also suspected of being an operator of GandCrab, but, according to information from Die zeit, it was by following, in 2019, the trail of cryptocurrency transfers linked to this group that German investigators traced the suspect’s trail.