German Authorities Identify Suspected REvil Member

Investigators from Germany’s Baden-Württemberg State Criminal Police Office have ​issued an arrest warrant for a billionaire whom they suspect belongs to the Russian-led REvil ransomware group. A series of bitcoin transfers uncovered by a team of investigators and journalists indicate that the man, who goes by Nikolay K., was likely receiving digital payment for his involvement in illicit activities

The identification of Nikolay K. signifies a rare phenomenon, as cybercriminals are notoriously difficult to catch. Although a joint international law enforcement operation in September did lead to the arrest in Ukraine of two individuals likely affiliated with REvil, it is usually only these lower-level affiliates—individuals who rent ransomware software from REvil—who are identified.

REvil, which specializes in ransomware as a service, has been responsible for several billion dollars of damages inflicted on hundreds of businesses, with high profile targets including meatpacker JBS, software management company Kaseya, Apple, a German IT company, and a theater in Stuttgart, Germany. Associates of the group, who developed and subsequently utilized DarkSide encryption software, were responsible for the Colonial Pipeline cyberattack in May.

The German Federal Office for Information Securityconsiders REvil’s software to be some of the most dangerous in the field of ransomware. REvil follows a clear pattern of operation: itenters a foreign network, copies its data, encrypts the system, holds the data for ransom, and extorts payment in cryptocurrency.

During the week of October 17, REvil was hacked and forced offline by an international operation involving multiple countries, and its websites are no longer available.

“The FBI, in conjunction with Cyber Command, the Secret Service, and like-minded countries, has truly engaged in significant disruptive actions against these groups,” said Tom Kellermann, head of cybersecurity strategy at VMWare.

“We are undertaking a whole of government ransomware effort, including disruption of ransomware infrastructure and actors, working with the private sector to modernize our defenses, and building an international coalition to hold countries who harbor ransom actors accountable,” said a spokesperson for the White House National Security Council.

President Joe Biden met with Russian President Vladimir Putin in July to discuss the issue of these cyberattacks.

“I made it very clear to [Putin] that the United States expects when a ransomware operation is coming from his soil, even though it's not sponsored by the state, we expect them to act if we give them enough information to act on who that is," said Biden.

However, Russia has not turned Nikolay K. over to German authorities, who instead must wait for the suspect to enter a country more likely to cooperate in his apprehension.