About REvil/Sodinokibi And Other Cybercriminal Gangs
REvil is a piece of supremely dangerous cybercriminal ransomware, known to be offered as ransomware-as-a-service. The ransomware, also known as Sodinokibi, was first identified in 2019 and has been sourced to the “financially motivated GOLD SOUTHFIELD threat group”, according to threat intelligence research by Secureworks. Adviser to the U.S. Secret Service on cybercrime investigations, Tom Kellerman, had stated in October last month that REvil is at the top of the list of cybercriminal groups. This particular ransomware has struck medical facilities, IT management company Kaseya, large companies like Acer, and critical infrastructure causing immeasurable panic and damage. It is well-established that cybercriminal gangs such as DarkSide, Babuk, and REvil have had a hand in worldwide critical infrastructure disruptions. REvil also accounted for 73% of all attacks in Q2 of 2021 and extorted millions of dollars from victims for personal gain, according to recent McAfee threat intelligence (update editorial team: research not available on the site of the source anymore). Several wings of the U.S. government, such as the FBI, U.S. national intelligence, and Cyber Command, have been after REvil for a while, finally managing to thwart their operations and shut down the ransomware gang’s servers in October 2021.
Mounting Pressure on Ransomware Gangs
Earlier this month, following the reported shutdown of REvil, a ransomware gang known as BlackMatter also reported their “project is closed” due to pressure from authorities. Notorious ransomware “cl0p” was also taken apart by INTERPOL this month.
REvil Affiliate Polyanin is Wanted by The FBI
A wanted report on the FBI’s online portal released earlier this month confirms that Polyanin is wanted by the FBI for “Conspiracy to Commit Fraud and Related Activity in Connection with Computers; Intentional Damage to a Protected Computer; [and] Conspiracy to Commit Money Laundering.” Furthermore, the report released this month details the whereabouts of Polyanin, who is “believed to be in Russia, possibly in Barnaul.” The report also confirms that the hacker “is one of many Sodinokibi/REvil ransomware affiliates.” The report goes on to state that Polyanin is wanted for ransomware attacks and money laundering activities. There are a few more details of his methods;
Polyanin used electronic notes “in the form of a text file on victims computers.” These notes included malicious web addresses leading to ransomware data encryption traps. The victims would have to pay the ransom with virtual currency. Upon payment, the data taken hostage was released. If the payment was not made, “Polyanin typically posted the victims exfiltrated data or claimed he sold the exfiltrated data to third parties.”
The report outlines that the hacker has been charged in an indictment filed with the United States District Court for the Northern District of Texas, Dallas, with conspiracy to commit fraud and the above crimes.
Key Points From The Daily Mail Report
According to information from the new Daily Mail report, “Russian records show that in 2019, Polyanin was registered as an individual entrepreneur involved in the development of computer software and IT consulting.” The Daily Mail has since confirmed the FBI’s hunches, as British reporters now know that Polyanin lives a comfortable life in an upscale neighborhood located in the Siberian city of Barnaul, Russia. The Daily Mail reports that the FBI has claimed to have seized $6.1 million “in ill-gotten funds” from Polyanin, while a bounty of $5 million would be awarded for any information that would lead to his arrest. Polyanin has a couple of factors working in his favor. First of all, Russia does not extradite its citizens, so ultimately the only courts he could face are the local courts in Russia. Secondly, his neighbors have allegedly refused to take part in any investigations — they were familiar with the allegations but “untroubled” and not interested in talking about the case. Mere days after the allegations, his family have been vague when asked and said that they did not know where he was. Later, however, Polyanin’s family requested not to be disturbed anymore, stating that they were fine and that Polyanin got in touch. According to them, it was all fake and he is on holiday.
