The ransomware Godfather? How social posts have exposed REvil honcho

Share:

Share on facebook
Share on twitter
Share on linkedin

One of the core members of the notorious REvil gang may have been captured, potentially bringing the notorious gang‘s cyber crime to a halt.

REvil has spent the past few years terrorising the globe with some of the most costly and high-profile ransomware attacks we’ve seen to date.

But two significant recent developments indicate its reign may be coming to an end. 

We have written extensively on REvil before, documenting its supposed fall, and then its return, and now we’re talking about its potential fall again. To be sure, few things are certain in the world of cybercrime and anything could happen again. But something different has indeed happened this time, and there’s a chance this could be a seminal moment.

Ransomware is some of the most important area we work on. It is one of our most common incident response types, and continues to impact businesses and organisations in Australia.

How a REvil head honcho may been tracked down

Showy social media posts depicting a lavish lifestyle of yachts, expensive cars and luxury travel appear to have helped investigators identify one man they believe is a core member of the gang. 

“Nikolay K”‘s own social media account is private, but he often appears in his wife’s videos and photos: scenes of coastal holidays, five-star hotels, and yachting trips, according to a joint investigation by German news outlet Zeit Online and the country’s public broadcaster Bayerischer Rundfunk

The Russian is regularly featured wearing Gucci t-shirts and luxury watches and posing next to sports cars, they reported. His house boasts a rare swimming pool for the area, and an expensive BMW parked in the driveway.  

Multiple large Bitcoin transfers to what appears to be his cryptocurrency account are very likely the product of extortion, based on the transaction chain. And his official work – a small sports bar in the city – is not capable of funding the kind of lifestyle his wife regularly presents on her social media profile. 

These online clues are part of the reason German police are reportedly convinced Nikolay K is one of the major players in REvil, “one of the most dangerous programs in the field”, according to the cops. 

The investigators are monitoring social media to spot when the husband and wife next go overseas on vacation, in the hopes that could provide an opportunity to arrest him, the news outlets reported. 

But the Russian may have caught wind of their efforts, despite law enforcement refusing to comment publicly on their investigation: his last vacation was in Crimea, and it’s been some time since he’s left Russia. 

A modern Godfather? Nikolay K’s showy social media posts depict a lavish lifestyle of yachts, expensive cars and luxury travel appear to have helped investigators identify one man they believe is a core member of the gang. 

FBI sting? 

At the same time, rumours are rife that US law enforcement – which is also pursuing the gang – has managed to infiltrate and at least partially shut down the group’s operations. 

REvil first went offline briefly in July after high-profile attacks on the likes of IT provider Kaseya and meat supplier JBS resulted in unwanted heat on the group. 

It gave no explanation for the disappearance at the time, nor a few months later when the gang made its loud return to operations. 

But REvil’s payment portal and dark web leak site have once again gone dark without warning. 

This time, however, there are strong indications the group may have fallen victim to a co-ordinated global law enforcement takedown. 

Reuters recently reported that law enforcement had compromised the gang’s backups, so when REvil resurfaced after its previous hiatus, it unknowingly restarted some systems that were already under the control of the cops. 

This report was seemingly confirmed by a REvil associate who posted online that “the server was compromised, and they were looking for me. Good luck, everyone; I’m off”. 

Law enforcement is yet to comment publicly on the report.  

International crackdown on ransomware figures

It’s rare for authorities to nab one of the bigwigs of the ransomware industry; to date it’s been more common for the small fish, or affiliates, to come undone. 

This is largely due to stronger operational security on the part of the perpetrators but also because they are most often located in countries like Russia or North Korea that aren’t co-operative with extradition requests. 

However, international law enforcement is having somewhat of a moment currently clamping down on the lucrative ransomware industry. 

Two alleged developers of the Trickbot malware have been charged in recent months, two members of an unidentified gang thought to be REvil were arrested in Ukraine, and a Canadian man was arrested and charged for his involvement with the NetWalker ransomware. 

And just this week, Europol announced 12 individuals had been detained in a joint operation spanning eight countries for their role in perpetrating ransomware attacks globally. 

Recent wins in the fight against ransomware

More than 1800 victims across 71 countries had been impacted by the alleged criminals’ actions, Europol said. Cash, luxury vehicles and electronic devices were seized in the October 26 raids across Ukraine and Switzerland. 

Global law enforcement – largely led by the US – has been prompted to take stronger action against these criminal groups in recent months following a series of high-profile and damaging attacks, particularly against critical infrastructure, like petroleum operator Colonial Pipeline and the aforementioned JBS

joint statement out of the recent 30-country Counter-Ransomware Initiative summit stopped short of endorsing offensive operations outright, but hinted “all national tools available” would be considered.  

The UK was similarly guarded in its wording in its individual statement, while the Dutch government made it clear it would use offensive operations to go after ransomware threatening national security.  

Australia’s new Ransomware Action Plan says the country will utilise the Australian Signals Directorate’s “offshore offensive cyber capabilities to disrupt foreign cybercriminals targeting Australian households and businesses”. 

The REvil takedown could be the first known offensive cyber operation against a ransomware crew. 

The US has been applying pressure to countries like Russia who have sheltered ransomware actors for some time. But while US President Joe Biden has pushed for an agreement on the issue, only minimal progress has been made to date. 

And ransomware gangs are not easily deterred – with such large amounts of financial gains to be made, it’s common for these groups to simply shut up shop for a while to avoid detection and resurface under a new name once the storm has passed. 

Or, as reported recently, they’ll switch their focus to smaller targets that are less likely to attract attention from law enforcement. It’s not as profitable, but the risks are lower. 

So despite REvil being “top of the list” for US law enforcement, for now it seems unlikely Nikolay K and his associates will be swapping luxury yachts and cars for the inside of a jail cell any time soon. 

Ahmed Khanji

Ahmed Khanji

Ahmed Khanji is the CEO of Gridware, a leading cybersecurity consultancy based in Sydney, Australia. An emerging thought leader in cybersecurity, Ahmed is an Adjunct Professor at Western Sydney University and regularly contributes to cybersecurity conversations in Australia. As well as his extensive background as a security advisor to large Australian enterprises, he is a regular keynote speaker and guest lecturer on offensive cybersecurity topics and blockchain.

Emergency Assistance

Under Attack?

Please fill out the form and we will respond ASAP. Alternatively, click the button to call us now.