Romanian law enforcement authorities have announced the arrest of two individuals for their roles as affiliates of the REvil ransomware family, dealing a severe blow to one of the most prolific cybercrime gangs in history.

The suspects are believed to have orchestrated more than 5,000 ransomware attacks and extorted close to $600,000 from victims, according to Europol. The arrests, which happened on November 4, are part of a coordinated operation called GoldDust, which has resulted in the arrest of three other REvil affiliates and two suspects connected to GandCrab in Kuwait and South Korea since February 2021.


This also includes a 22-year-old Ukrainian national, Yaroslav Vasinskyi, who was arrested in early October and has been accused of perpetrating the devastating attack on Florida-based software firm Kaseya in July 2021, affecting up to 1,500 downstream businesses. In all, the seven suspects linked to the two ransomware families are said to have targeted about 7,000 victims, while collectively demanding more than €200 million in digital ransoms.

Short for Ransomware Evil, REvil (aka Sodinokibi) is seen as the successor of GandCrab and has been linked to a number of high-profile ransomware attacks subsequent to its emergence in the threat landscape in 2019. Operating as a ransomware-as-a-service (RaaS), the cybercrime syndicate is known to rent their malware source code to affiliates, typically after vetting their technical skills, who, in turn, are responsible for carrying out the attacks against appropriate victims.

That said, REvil has had a turbulent few months in the wake of Kaseya ransomware attacks, not least in part fuelled by a series of steps taken by governments around the world to tackle the ransomware ecosystem, calling it an "escalating global security threat with serious economic and security consequences." On July 14, the dark web data leak portals owned by the group went off the grid, only to make a reappearance in September after a two-month break.


But the criminal group shut down its operations again last month after the U.S. Cyber Command, in partnership with a foreign government, compromised its Tor infrastructure, forcing its websites to be taken offline, according to a Washington Post report. Romanian cybersecurity firm Bitdefender has since made available a free universal decryptor that REvil victims can use to restore their files and recover from attacks carried out prior to July 13, 2021.

The sweeping international law enforcement effort aimed identifying, wiretapping, and seizing the infrastructure used by the REvil ransomware cartel was undertaken by Australia, Belgium, Canada, France, Germany, the Netherlands, Luxembourg, Norway, Philippines, Poland, Romania, South Korea, Sweden, Switzerland, Kuwait, the U.K., and the U.S., along with support from Europol, Eurojust, and Interpol.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.