Sodinokibi Ransomware Affiliates and Infrastructure feel the Laws Wrath

Three separate reports suggest that international law enforcement agencies are continuing to apply pressure to ransomware gangs, whether it’s the gang leaders, infrastructure, or affiliates. Last week we covered how the BlackMatter ransomware gang was experiencing a legal clampdown. Now despite ceasing operations after reports suggested that US Cyber Command successfully targeted servers used by ransomware gang, is still being targeted by law enforcement. Now it appears that there is an international effort to go after affiliates and leaders of the Sodinokibi gang.

Three articles, published by Bleeping Computer, on November 8, 2021, show the extent of operations against Sodinokibi, tracked as REvil by the publication and several other security firms. The first article covered how Sodinokibi affiliates in both Kuwait and Romania were arrested.

According to the Romanian Directorate for Investigating Organized Crime and Terrorism (DIICOT) arrested two suspects believed to be Sodinokibi affiliates. Police also seized mobile devices and storage devices in the operation.

Sodinokibi Ransomware Affiliates and Infrastructure feel the Laws Wrath

This followed news that a Kuwaiti, believed to be an affiliate for Sodinokibi and GandCrab before the ransomware’s administrators retired, was also arrested. In total five affiliates of Sodinokibi have been arrested to date with Europol stating the five arrested are believed to be responsible for an estimated 7,000 infections and demanding an estimated 200 million EUR in ransoms.

In a press statement released by Europol, the reasons for the crackdown were neatly stated. The law enforcement agency noted,

“Since 2019, several large international corporations have faced severe cyber-attacks, which deployed the Sodinokibi/REvil ransomware. France, Germany, Romania, Europol and Eurojust reinforced the actions against this ransomware by setting up a Joint Investigation Team in May 2021. Bitdefender, in collaboration with law enforcement, made a tool available on the No More Ransom website that would help victims of Sodinokibi/REvil restore their files and recover from attacks made before July 2021. In the beginning of October, a Sodinokibi/REvil affiliate was arrested at the Polish border after an international arrest warrant was issued by the US. The Ukrainian national is suspected of perpetrating the Kaseya attack, which affected up to 1 500 downstream businesses and for which Sodinokibi/REvil asked a ransom of about €70 million. Additionally, in February, April and October 2021 authorities in South Korea arrested three affiliates involved in the GandCrab and Sodinokibi/REvil ransomware families, which had more than 1 500 victims. On 4 November, Kuwaiti authorities arrested another GandGrab affiliate, meaning a total of seven suspects linked to the two ransomware families have been arrested since February 2021. They are suspected of attacking about 7 000 victims in total.”

DoJ Seizes Assets and Arrests Kaseya Attacker

The second article published by Bleeping Computer covered the US Department of Justice’s announcement that they in conjunction with Polish law enforcement arrested 22-year old Ukrainian national Yaroslav Vasinskyi, who is suspected of conducting the attack on Kaseya. Further 6.1 million USD in assets belonging to another suspect were seized by US officials.

For those familiar with underground hacking forums, Vasinskyi has gone by several aliases including Profcomserv, Rabotnik_New, Yarik45, Yaraslav2468, and Affiliate 22. The suspect is believed to have been responsible for an estimated 2,500 Sodinokibi infections against targets across the globe. Of those attacks, the indictment revealed that ransom demands amounted to 767 million USD but victims paid only 2.3 million USD.

As for the 6.1 million USD belonging to another Sodinokibi affiliate, as alluded to above, the US Treasury Department announced the seizure along with sanctions placed against Russian national Yevgeniy Polyanin, believed to be the other Sodinokibi affiliate.

Polyanin, whose aliases include LK4D4, Damnating, damn2Life, Noolleds, Antunpitre, Affiliate 23, is believed to have perpetrated about 3,000 ransomware attacks against various organizations, including multiple U.S. government entities and private-sector companies, extorting around 13 USD million from victims.

Sanctions were announced against both Polyanin and Vasinsky that block all property and interests in their property falling under the U.S. jurisdiction. Further, it was announced that,

“Additionally, any entities 50 percent or more owned by one or more designated persons are also blocked. In addition, financial institutions and other persons that engage in certain transactions or activities with the sanctioned entities and individuals may expose themselves to sanctions or be subject to an enforcement action”

Commenting on the action of the DoJ, FBI Director Christopher Wray stated:

“The arrest of Yaroslav Vasinskyi, the charges against Yevgeniy Polyanin and seizure of $6.1 million of his assets, and the arrests of two other Sodinokibi/REvil actors in Romania are the culmination of close collaboration with our international, U.S. government and especially our private sector partners,”

US Targets Sodinokibi Leadership

It is not only Sodinokibi affiliates that are in law enforcement’s crosshairs but also the leadership. The US the Department of State's Transnational Organized Crime Rewards Program (TOCRP) is offering a reward of up to 10 million USD for information leading to the identification and location of Sodinokibi’s leaders. In the article it was also noted that 5 million USD of the reward is applicable for information leading to the arrest of the ransomware gang’s leadership.

In the announcement made by the Department of State, the exact wording of the reward is,

“The Department of State is offering a reward of up to $10,000,000 for information leading to the identification or location of any individual holding a key leadership position in the Sodinokibi ransomware variant transnational organized crime group.  In addition, the Department is offering a reward offer of up to $5,000,000 for information leading to the arrest and/or conviction in any country of any individual conspiring to participate in or attempting to participate in a Sodinokibi variant ransomware incident.”

Over the last month, we have seen a concerted effort by law enforcement, in both the US and Europe to crack down on ransomware gangs. From the start of 2021 up to around July of this year several incredibly high-profile attacks occurred almost forcing governments to act. The US even opened communications with Russian counterparts on how to best combat the scourge of ransomware.

Attacks on organizations that provide vital services to a country’s critical infrastructure were being viewed in the same light as terrorist attacks. This led high-profile ransomware gangs to state specifically that they would no longer target critical infrastructure, however, the damage had been done. Security researchers predicted a sea change in how governments approached ransomware, based on current events it seems like those predictions have come true.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal