2 min read

Bitdefender, Law Enforcement Partnership Saves REvil Victims Half a Billion in Ransom Demand

Bogdan BOTEZATU

November 08, 2021

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Bitdefender, Law Enforcement Partnership Saves REvil Victims Half a Billion in Ransom Demand

More than three years ago, in February 2018, the Bitdefender DRACO Team released the first of many decryptors for a family of ransomware called GandCrab. Published just one month after the emergence of the first samples of this extremely powerful ransomware-as-a-service (RaaS) offering, this marked the beginning of a complex partnership with law enforcement agencies around the world on a strong commitment to curb ransomware.

Now, Romanian authorities have arrested two affiliates of the Sodinokibi/REvil ransomware family responsible for 5,000 infections. Since February 2021, law enforcement officers have arrested three other affiliates of Sodinokibi/Revil, bringing the total of Sodinokibi arrests to five, as well as two suspects connected to GandCrab. These are among the results of Operation GoldDust, a coordinated effort involving 19 law enforcement organizations (local LEAs in Australia, Belgium, Canada, France, Germany, the Netherlands, Luxembourg, Norway, Poland, Romania, South Korea, Sweden, Switzerland, Kuwait, the United Kingdom and the United States, as well as Europol, Interpol and Eurojust).

REVil (a.k.a. Sodinokibi) in 30 seconds

Short for Ransomware Evil, REvil is a private RaaS operation that first emerged in 2019. Deeply tied with the now-defunct GandCrab RaaS group, REvil leverages affiliates to infect companies and extort money. Since 2019, REvil has made a name and became the most common ransomware variant in the second quarter of 2021.

REvil has managed to compromise thousands of businesses around the world and was known to extort much larger payments from victims than the average market price. Companies that did not pay and attempted to restore from backups were blackmailed with the publication of their stolen confidential information.

In collaboration with a trusted law enforcement partner, Bitdefender released a free universal decryptor for REvil attacks that occurred before July 13, 2021. Since mid-September this year, the Sodinokibi / REvil decryptor has helped more than 1,400 companies in 83 countries recover their files and save over $550 million in unpaid ransom. The average ransom demands about $393,000, much higher than GandCrab’s average ransom of between $800 and $2400.

Download the REvil decryptor

The Bitdefender DRACO Team provided cybersecurity consulting and guidance especially in areas of cryptography, forensics, and investigations that helped the law enforcement consortium in this operation minimize the impact of successful ransomware attacks, and eventually led to arrests. This collaboration with law enforcement is a prime example of the public and private sector working together to significantly disrupt cybercriminal activities.

Existing victims can download the REvil decryptor and take their data back. If you have fallen victim to a ransomware attack, we advise that you do not pay the ransom and inform your local law enforcement organization about the incident.

Ransomware best practices

  • Ransomware attacks usually start with email phishing and social engineering. Educate and continuously train employees on the dangers of clicking links and opening attachments from unknown sources.
  • Make sure security platforms such as endpoint detection and response (EDR) and extended detection and response (XDR) are updated with indicators of compromise (IOCs) to look for REvil and other popular ransomware families.
  • Consider the managed detection and response (MDR) model to supplement an in-house security teams’ ability to perform active threat hunts.
  • Minimize your attack surface and ensure legacy services or other unneeded services (such as RDP) are not exposed to the Internet.

If you are a law enforcement agency in need of technical expertise in ransomware cases, please connect with us at [email protected]

tags


Author



Right now

Top posts

LuminousMoth – PlugX, File Exfiltration and Persistence Revisited

LuminousMoth – PlugX, File Exfiltration and Persistence Revisited

July 21, 2021

9 min read
How We Tracked a Threat Group Running an Active Cryptojacking Campaign

How We Tracked a Threat Group Running an Active Cryptojacking Campaign

July 14, 2021

10 min read
A Note from the Bitdefender Labs Team on Ransomware and Decryptors

A Note from the Bitdefender Labs Team on Ransomware and Decryptors

May 26, 2021

2 min read
New Nebulae Backdoor Linked with the NAIKON Group

New Nebulae Backdoor Linked with the NAIKON Group

April 28, 2021

1 min read
Good riddance, GandCrab! We’re still fixing the mess you left behind.

Good riddance, GandCrab! We’re still fixing the mess you left behind.

June 17, 2019

5 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Bitdefender, Law Enforcement Partnership Saves REvil Victims Half a Billion in Ransom Demand Bitdefender, Law Enforcement Partnership Saves REvil Victims Half a Billion in Ransom Demand
Bogdan BOTEZATU

November 08, 2021

2 min read
Digitally-Signed Rootkits
are Back – A Look at
FiveSys and Companions Digitally-Signed Rootkits are Back – A Look at FiveSys and Companions
Cristian Alexandru ISTRATEBalazs BIRORareș Costin BLEOTUClaudiu COBLIȘ
1 min read
LuminousMoth – PlugX, File Exfiltration and Persistence Revisited LuminousMoth – PlugX, File Exfiltration and Persistence Revisited
Bogdan BOTEZATUVictor VRABIE
9 min read