The big picture: A group of cooperating German investigators and journalists claim to have tracked down a key member of the REvil ransomware gang, which has been responsible for a significant number of attacks this year. It remains unclear when or if the investigators will be able to arrest the person in question because they reside in Russia, a government that’s been accused of turning a blind eye to ransomware gangs staying within its borders.
According to reports from German news organizations Bayerischer Rundfunk and Die Zeit, the two spent months following the digital trail of Bitcoin and email addresses to establish a connection between ransomware payments and someone they refer to as “Nikolay K.” Social media videos from his wife “Ekaterina K.” show the couple vacationing in the Mediterranean on expensive yachts. Nikolay’s own profile only reveals that he makes money in Bitcoin.
The reporters were able to connect Nikolay K.’s name to Russian websites and phone numbers connected to a Telegram account, which is connected to a Bitcoin address. That Bitcoin address received at least six payments totaling over $450,000 from accounts Zeit says are connected to criminal organizations. Bitcoin payment analysts tell Zeit the payments most likely come from extortion.
The Baden-Württemberg State Criminal Police Office (LKA) is also convinced Nikolai K. is a REvil member, and has been investigating him since a 2019 ransomware attack on a Stuttgart theater. The LKA has already prepared an arrest warrant for Nikolai K., but can’t arrest him unless he enters a company willing to cooperate with Germany. Nikolay K.’s most recent vacation however was in Crimea, which Russia occupied and annexed in 2014.
Earlier this month, McAfee released a security report claiming that REvil’s ransomware software was responsible for over 70 percent of ransomware detections out of the top 10 attackers for the second quarter of 2021.
REvil most famously attacked IT management platform Kaseya this summer, impacting hundreds of businesses that use its services. REvil demanded a $70 million ransom for the decryption keys to unlock systems which the REvil software had encrypted.
Security groups later released those keys for free along with instructions for how to use them. REvil then temporarily disappeared, only to later reappear and resume its attacks using new software that the old keys can’t decrypt. REvil has even reportedly stolen ransom money from clients that rented its software for their own attacks.