Suspected REvil scammers arrested amid ongoing crackdown on ransomware

This picture taken on November 24, 2015 shows an outside view of the EU police agency Europol headquarters in The Hague. (Photo by Remko de Waal / ANP / AFP) / Netherlands OUT (Photo by REMKO DE WAAL/ANP/AFP via Getty Images)


Written by

Two cybercrime suspects accused of launching 5,000 ransomware attacks and netting roughly $579,000 were arrested by Romanian authorities, Europol announced Monday.

The suspects allegedly used the REvil ransomware strain, the malware variant associated with a notorious Russian cybercrime gang that’s been used in a recent string of high-profile international ransomware incidents. REvil was, until recently, perhaps the most commonly used ransomware generating hundreds of millions in revenue for attackers and affiliates.

The Europol arrests coincide with the U.S. Department of Justice’s seizure of $6 million in ransomware payments in connection with REvil activity, according to CNN. Authorities have charged Yevgeniy Polyanin, a Russian national, and Ukrainian Yaroslav Vasinskyi, who’s arrest was first reported by CyberScoop, in connection with deploying REvil ransomware.

The arrests mark the sixth and seventh arrests in an ongoing international law enforcement crackdown on ransomware operators. Since February, Europol said, three REvil affiliates have been arrested, along with two suspects connected to GandCrab, a formerly prolific strain of malware. Earlier arrests happened elsewhere in Europe, South Korea and Kuwait.

The arrests are part of Operation GoldDust, which involves 17 countries, including the United States, in a sprawling effort to combat ransomware gangs and affiliates. Europol notes that the GoldDust arrests “follow the joint international law enforcement efforts of identification, wiretapping and seizure of some of the infrastructure used by Sodinokibi/REvil ransomware family, which is seen as the successor of GandCrab.”

The Washington Post reported last week that U.S. Cyber Command and an unnamed foreign government targeted REvil infrastructure such that the group folded operations. The foreign government hacked REvil’s servers without the group’s notice, the Post reported, while U.S. Cyber Command blocked the group’s website by hijacking its traffic in October.

This is a developing news story that will be updated as more information becomes available.