German investigators have discovered a deep-pocketed, massive-investing Russian billionaire whom they suspect of remaining a main member of the REvil ransomware gang.
He lolls about on yachts, wears a luxurious observe with a Bitcoin handle engraved on its dial, and is suspected of getting it all with dollars he made as a main member of the REvil ransomware gang.
The showy billionaire goes by “Nikolay K.”on social media, and German law enforcement are hoping he’ll cruise out of Russia on his following holiday – ideally, to a region with a cooperation arrangement with Germany so they can arrest him. In situation he decides to kick back someplace other than sunny Crimea, they’ve received an arrest warrant waiting for him.
According to a joint investigation by the German media outlet Zeit On the web and the German general public broadcaster Bayerischer Rundfunk, investigators from Germany’s Baden-Württemberg Point out Criminal Police Office (LKA) are convinced that Nikolay K. is component of the main group that run the ransomware-as-a-assistance (RaaS) participant REvil, aka Sodinokibi.
It’s Uncommon to Snare a Ransomware Gang’s Massive Fish
It wouldn’t be the first time that ransomware operators have been collared, but we really do not usually see law enforcement nab the bigwigs. For example, in September, two associates of an unknown ransomware gang (suspected to be REvil) were being arrested in Ukraine adhering to a joint intercontinental regulation enforcement operation. In January, a Canadian man was arrested and charged in the U.S. with NetWalker – an additional RaaS – ransomware attacks.
All those have been reportedly tiny fish, though, as in, the affiliates who lease malware from the genuine legal team and then lower them in for a part of whichever extortion payment they collect. (Payments that REvil operators cheated their affiliates out of by using a backdoor and double chats, inserting themselves between a victim and an affiliate so that the gang could pocket the entire enchilada.)
Germany’s Grudge Versus REvil
REvil’s notorious. Its sufferer record has provided Kaseya and its several managed support provider (MSP) customers, the global meat supplier JBS Meals, and even, audaciously sufficient, Apple.
Accurate, REvil‘s steadily lost clout as a moustache-twirling villain. Two times now it’s had its servers shoved offline, after in July, in mysterious situations that the underground and the overground are still debating, and all over again very last week by governments.
In accordance to Reuters, which broke the information about past week’s legislation enforcement go from the gang, REvil’s also powering the Colonial Pipeline attack, as opposed to a culprit presumed to be a ransomware team named DarkSide.
Nevertheless and all, the German Federal Workplace for Data Security (BSI) classifies REvil as “one of the most harmful plans in the area,” in accordance to Zeit On the internet. Its report cites many terrible assaults carried out by the gang In Germany, together with a 2019 attack against a Germany IT enterprise that serves doctors’ workplaces and hospitals that pressured a number of clinics offline and into crisis operations.
REvil’s also at the rear of a 2019 attack on a Stuttgart theater in which a reportedly previously edition of REvil – Gandcrab, which shuttered operations in 2019 – was utilised.
The LKA is now reportedly subsequent the Bitcoin path of that attack, during which the theater is believed to have compensated a 15,000 euro ransom in cryptocurrency.
Tracing the Untraceable
In get to monitor down the Russian billionaire who could turn out to be element of REvil’s leadership, reporters with Bayerischer Rundfunk and Zeit On-line put in months tracing the suspect’s electronic tracks as a result of nameless Telegram channels and cryptocurrency payments. They searched for the identify he utilizes on social media, found an associated email tackle applied to sign-up several internet websites, and appeared into Russia mobile phone numbers affiliated with the sites.
One of the quantities led them a Telegram account on which a Bitcoin deal with was revealed – an deal with to which far more than 400,000 euros have been compensated in Bitcoin.
“The reporters were being able to build that bitcoin was transferred on at the very least six events from accounts connected to prison enterprises to an tackle that most very likely belongs to Nikolay K,” according to the report.
Appear Out, Appear Out, Anywhere You Are
The LKA investigators from Stuttgart are reportedly monitoring social media intently, in hopes that Nikolay K. will journey up.
Investigators aren’t the only types who keep a close eye on social media and headlines, of program: When governments took down the gang’s leak website and Tor payment internet site past 7 days, a major chief – _neday – understood that the server had been compromised.
_neday took to the XSS criminal discussion board, producing that the server experienced been hacked and that they were being exiting stage remaining:
The server experienced been hacked, and they had been on the lookout for me. They taken off the route of my solution services from the torrc file and replaced it with their possess, causing me to go there. I double-checked with other individuals, and this was not the scenario. Excellent luck to every person I’m leaving now.” —0_neday’s put up to the XSS discussion board.
Excellent luck with this 1, LKA: REvil may have slipped up many periods – and been caught at it – lately but if Nikolay K, is truly element of the brains of the REvil operation, he presumably intelligent adequate not to move exterior of Russia’s border anytime before long.
Check out out our absolutely free upcoming are living and on-demand online town halls – distinctive, dynamic discussions with cybersecurity gurus and the Threatpost neighborhood.
Some parts of this article are sourced from:
threatpost.com