Image: Shutterstock/metamorworks

Europol announced today three arrests of individuals who may be involved in ransomware activities across the world. The suspects are allegedly responsible for 5,000 infections, which represented about half a million Euros in ransom payments.

Two individuals suspected of deploying the Sodinokibi/REvil ransomware have been arrested by the Romanian authorities, while another individual has been arrested in Kuwait.

These arrests are connected to previous law enforcement operations from February 2021, bringing the number of arrests related to the Sodinokibi/REvil and GandCrab ransomwares to seven.

The Sodinokibi/REvil ransomware

The ransomware known as Sodinokibi appeared in April 2019 and revealed similarities in its code with another ransomware, dubbed GandCrab. Threat researchers believe it is highly probable that it was programmed by the same developers.

Sodinokibi has been one of the most notorious ransomware threats in 2021. It works in a Ransomware-as-a-Service (RaaS) model, where the main criminal organization (generally called REvil) provides the malware code and updates to affiliates who spread it and handle the infections. Once a ransom is paid, the profits are shared between the affiliates and the REvil cybercriminals.

In 2020, the group became famous by launching several high profile attacks targeting companies like money transfer service Travelex, Honda, Jack Daniels maker Brown-Forman and law firm Grubman Shire Meiselas & Sacks, which represents major figures like former president of the US Donald Trump and artists like Madonna and Robert De Niro.

SEE: Ransomware: What IT pros need to know (free PDF) (TechRepublic)

Operation GoldDust

Several efforts have been coordinated since 2019 to help fight the Sodinokibi/REvil attacks. France, Germany, Romania, Europol and Eurojust built a joint investigation team on that ransomware in May 2021, while company Bitdefender, in collaboration with law enforcement, made a tool available on the No More Ransom website to recover files encrypted before July 2021.

A previous investigation led by Romania and involving several other countries focusing on the GandCrab ransomware family helped release three more decryption tools on the No More Ransom website and provided leads to Operation GoldDust. Those tools saved more than 49,000 systems and over €60 million in unpaid ransom according to Europol.

Operation GoldDust is part of a wider four-year operation, which coordinated 19 law enforcement agencies in 17 countries : Australia, Belgium, Canada, France, Germany, The Netherlands, Luxembourg, Norway, Philippines, Poland, Romania, South Korea, Sweden, Switzerland, Kuwait, the United Kingdom and the United States.

SEE: Companies that pay ransomware attackers get thumbs down from consumers (TechRepublic)

More and more arrests

The massive growth of ransomware activities within the last years have raised it to a top priority for law enforcement agencies around the world. The US Department of Justice decided last June to elevate investigations on ransomware attacks to the same level of priority as terrorism in the US.

In 2020, Chainalysis, a company specialized in analyzing cryptocurrencies transfers, reported that the total amount paid by ransomware victims increased by 311% this year to reach nearly $350 million worth of cryptocurrency.

In February 2021, the South Korean National Police announced the arrest of a 20-year-old suspected of being a GandCrab ransomware affiliate. Another GandCrab affiliate, a 31-year-old man, had been arrested in July 2020 in Belarus.

Last month, 12 individuals suspected of being involved in ransomware activities in relation to LockerGoga, MegaCortex and Dharma ransomware were arrested in a joint effort from eight countries.

While Europol announced its success with Operation GoldDust, the US Department of Justice revealed charges against Yaroslav Vasinskyi, a 22-year-old arrested in Ukraine last month, and Yevgeniy Polyanin, a 28-year-old Russian national. Both are suspected of conducting Sodinokibi/REvil ransomware attacks against multiple victims.

The recent arrests are causing huge ripples in the world of ransomware threat actors, who thought they would avoid being caught by using cryptocurrencies and darknet infrastructures.

According to CoveWare, the most common attack vector used by Sodinokibi/REvil is via RDP sessions, followed by phishing emails and software/hardware vulnerability exploitation. Those initial compromise methods are used by other actors in the ransomware field as well.

For advice on the best ways to protect your organization from the threat of ransomware attacks, check out this TechRepublic article.