Police in Ukraine have arrested two members of a “prolific” ransomware gang as part of a joint operation among international law enforcement agencies.
The arrested occurred on Sept. 28 following a joint investigation involving the French National Gendarmerie, the Ukrainian National Police, the U.S. Federal Bureau of Investigation, the International Criminal Police Organization and the European Union Agency for Law Enforcement.
Interpol did not name the ransomware gang in a statement today. But it’s suspected of a string of targeted attacks against large industrial groups in Europe and North America from April 2020. The gang would deploy malware and steal sensitive data from its victims before encrypting their files.
Whichever ransomware gang the two arrested are linked to, it appears to be a so-called double-tap gang. Interpol noted that the gang offered a decryption key for a ransomware payment, usually several million dollars, and would threaten to release the data if their demands were not met.
Ukraine Police provide further details, saying that one of the suspects, a 25-year-old, was responsible for attacks on more than 100 companies worldwide, causing $150 million in damage. Along with the arrests, Ukraine police seized $375,000 in cash, two luxury vehicles and froze cryptocurrency valued at $1.3 million.
Some speculate that the two arrested may be linked to the REvil ransomware gang. Interpol’s noting that the gang started in April 2020 ties into the REvil ransomware attack on celebrity law firm Grubman Shire Meiselas & Sacks. That attack was first reported in May 2020 but occurred in April.
“Although Europol declined to provide details on the affiliation of the two suspects, they stated that the individuals had worked for a ransomware group that had targeted corporations in Europe and North America since April 2020,” Stefano De Blasi, cyber threat intelligence analyst at disk risk protection firm Digital Shadows Ltd., told SiliconANGLE. “The group were also reportedly known for their exorbitant ransom demands, which ranged from 5 million to 70 million euros.”
The 70 million Euros figure is notable. That could be the REvil attack on Kaseya Ltd in July, although it was reported at the time that the ransom demanded was $70 million, not 70 million Euros. That said, ransom demands of that size are extraordinarily rare, making it more likely that the two arrested were linked to REvil.
That certainly sounds like #REvil #ransomware. The #Kaseya ransom demand was famously $70 Million, and the average person may think REvil started in April 2020, with the famous hack of Grubman Shire Meiselas & Sacks happening about that time.
— GarWarner (@GarWarner) October 4, 2021
“While solitary operations will not provide a remediation to the ransomware threat overnight, law enforcement operations can have a significant impact to targeted ransomware groups, often resulting in a suspension or disruption of their activity,” De Blasi added. “These raids can achieve their greatest potential when paired with diplomatic efforts, innovative policies and effective public-private partnerships.”