DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Five Affiliates of Sodinokibi/REvil Have Been Arrested by Now

Posted on November 8, 2021 by Dissent

On 4 November, Romanian authorities arrested two individuals suspected of cyber-attacks deploying the Sodinokibi/REvil ransomware. They are allegedly responsible for 5,000 infections, which in total pocketed half a million euros in ransom payments. Since February 2021, law enforcement authorities have arrested three other affiliates of Sodinokibi/REvil and two suspects connected to GandCrab. These are some of the results of operation GoldDust, which involved 17 countries*, Europol, Eurojust and INTERPOL. All these arrests follow the joint international law enforcement efforts of identification, wiretapping and seizure of some of the infrastructure used by Sodinokibi/REvil ransomware family, which is seen as the successor of GandCrab.

Since 2019, several large international corporations have faced severe cyber-attacks, which deployed the Sodinokibi/REvil ransomware. France, Germany, Romania, Europol and Eurojust reinforced the actions against this ransomware by setting up a Joint Investigation Team in May 2021. Bitdefender, in collaboration with law enforcement, made a tool available on the No More Ransom website that would help victims of Sodinokibi/REvil restore their files and recover from attacks made before July 2021. In October, one affiliate was arrested in Europe. Additionally, in February, April and October 2021 authorities in South Korea arrested three affiliates involved in the GandCrab and Sodinokibi/REvil ransomware families, which had more than 1,500 victims. On 4 November, Kuwaiti authorities arrested another GandGrab affiliate, meaning a total of seven suspects linked to the two ransomware families have been arrested since February 2021. They are suspected of attacking about 7,000 victims in total.

GOLDDUST’ LINKS TO GANDCRAB

Since 2018, Europol has supported a Romanian-led investigation which targets the GandCrab ransomware family and involved law enforcement authorities from a number of countries, including the United Kingdom and the United States. With more than one million victims worldwide, GandCrab was one of the world’s most prolific ransomware families. These joint law enforcement efforts resulted in the release of three decryption tools through the No More Ransom project, saving more than 49,000 systems and over €60 million in unpaid ransom so far. The investigation also looked at the affiliates of GandCrab, some of whom are believed to have moved towards Sodinokibi/REvil. Operation GoldDust was also built up on leads from this previous investigation targeting GandCrab.

DECRYPT WITH NO MORE RANSOM

The support from the cybersecurity sector has proven crucial for minimising the damage from ransomware attacks, still the biggest cybercrime threat. Many partners have already provided decryption tools for a number of ransomware families via the No More Ransom website. Bitdefender supported this investigation by providing key technical insights throughout the entire investigation, along with decryption tools for both of these highly prolific ransomware families to help victims recover their files. KPN and McAfee Enterprises are other private sector partners that have also supported this investigation, by providing technical expertise to law enforcement.

Currently, No More Ransom has decryption tools for GandCrab (V1, V4 and V5 up to V5.2 versions) and for Sodinokibi/REvil. The Sodinokibi/REvil decryption tools helped more than 1400 companies decrypt their networks, saving them almost €475 million in potential losses. The tools made available for both ransomware families enabled more than 50 000 decryptions, for which cybercriminals had asked about €520 million in ransom.

EUROPOL’S SUPPORT

Europol facilitated the information exchange, supported the coordination of operation GoldDust and provided operational analytical support, as well as cryptocurrency, malware and forensic analysis. During the action days, Europol deployed experts to each location and activated a Virtual Command Post to coordinate the activities on the ground. The international cooperation enabled Europol to streamline victim mitigation efforts with other EU countries. These activities prevented private companies from falling victim to Sodinokibi/REvil ransomware.

The Joint Cybercrime Action Taskforce (J-CAT) at Europol supported the operation. This standing operational team consists of cyber liaison officers from different countries who work from the same office on high profile cybercrime investigations.

*Participant countries: Australia, Belgium, Canada, France, Germany, the Netherlands, Luxembourg,  Norway, Philippines, Poland, Romania, South Korea, Sweden, Switzerland, Kuwait, the United Kingdom, the United States

* Participating organisations: Europol, Eurojust and Interpol

Source: Europol.
Category: MalwareNon-U.S.Of Note

Post navigation

← Maxim Healthcare notifies patients of breach that occurred in October, 2020
Human error blamed for Eastern Ontario school board data breach →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Lower Merion School District says a data breach was caused by a computer glitch
  • After $1 Million Ransom Demand, Virgin Islands Lottery Restores Operations Without Paying Hackers
  • Junior Defence Contractor Arrested For Leaking Indian Naval Secrets To Suspected Pakistani Spies
  • Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • Class action settlement following ransomware attack will cost Fred Hutchinson Cancer Center about $52 million
  • Comstar LLC agrees to corrective action plan and fine to settle HHS OCR charges
  • Australian ransomware victims now must tell the government if they pay up
  • U.S. Sanctions Cloud Provider ‘Funnull’ as Top Source of ‘Pig Butchering’ Scams
  • Victoria’s Secret takes down website after security incident

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent
  • Trump Taps Palantir to Compile Data on Americans

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.