On the 4th November, Romanian authorities had arrested two individuals suspected of cyber-attacks using REvil ransomware. They are allegedly responsible for 5,000 infections, accounting for €500,000 in ransom payments, according to European law enforcement agency Europol.
In addition to these arrests, three additional arrests were made in February, April and 2021 by authorities in South Korea against affiliates involved with REvil ransomware. Another affiliate was arrested in Europe in October. In total, the operation has resulted in seven arrests and it’s the first time they’ve been disclosed publicly by law enforcement.
REvil has been one of the most notorious ransomware groups of 2021, responsible for hundreds of high-profile attacks around the world.
Europol supported this operation, providing analytical support, as well analysis into malware and cryptocurrency. The 17 countries participating in “Operation GoldDust” are Australia, Belgium, Canada, France, Germany, the Netherlands, Luxembourg, Norway, Philippines, Poland, Romania, South Korea, Sweden, Switzerland, Kuwait, the United Kingdom and the United States.
The arrests are the latest in a string of operations by law enforcement targeting ransomware operations. Last month saw a Europol-led operation target 12 suspects in Ukraine and Switzerland believed to be behind LockerGoga, MegaCortex, Dharma and other ransomware attacks. It was also recently reported that law enforcement from multiple countries helped take down key elements of REvil.
At Sophos, it is one of the ransomware-as-a-service (RaaS) encountered frequently. We devote significant effort to combating this menace. In our world-leading endpoint product, Intercept X, we have the tamper protection feature that prevents a script from disabling endpoint protection features, we use behavioural detection rules that identify core activities associated with ransomware and we have a feature called Cryptoguard that mitigates the risk of ransomware from encrypting data.
The anti-ransomware technology included in Intercept X detects malicious encryption processes and shuts them down before they can spread across your network. It prevents both file-based and master boot record ransomware.
Any files that were encrypted are rolled back to a safe state, meaning your employees can continue working uninterrupted, with minimal impact to business continuity. You get detailed post-cleanup information, so you can see where the threat got in, what it touched, and when it was blocked.
Even though ransomware has been a threat for decades, it has evolved in sophistication and the operators are adapting to the cybersecurity landscape to evade detection and they will use tactics such as coercing victims into paying. Example of this seen by the Sophos Rapid Response team include attackers emailing or phoning a victims’ employee and telling them that their personal data has been stolen. The goal is to scare them into demanding their employer pays the ransom.
Sophos MTR is a 24/7 threat hunting, provides 24/7 threat hunting, detection, and response capabilities as a fully-managed service. It is delivered by an expert team, who can investigate suspicious activity that can eventually lead to ransomware and is able to neutralise incidents before they become a bigger problem. Learn more by clicking here.