According to Techspot,A group of cooperating German investigators and reporters claimed to have traced a key member of the REvil ransomware gang,The group is believed to be related to a large number of attacks this year. It is still unclear when or if investigators will be able to arrest this person because they live in Russia, and the Russian government has been accused of turning a blind eye to the ransomware groups remaining in its territory.
According to reports by German news agencies Bayerischer Rundfunk and Die Zeit, they spent months tracking digital traces of bitcoin and email addresses to determine the connection between the ransom software payment and the person they called “Nikolay K.” . A social media video of his wife “Ekaterina K.” shows the couple on vacation on an expensive yacht in the Mediterranean. Nikolay’s own profile only shows that he makes money with Bitcoin.
The reporter was able to link Nikolay K.’s name with the Russian website and the phone number linked to the Telegram account, which was linked to a Bitcoin address. The Bitcoin address received at least six payments from accounts that Zeit said were related to criminal organizations, totaling more than $450,000. Bitcoin payments analysts told Zeit that these payments are likely to come from extortion.
The Baden-Württemberg Criminal Police Department (LKA) is also convinced that Nikolay K is a member of REvil and investigated him after a ransomware attack on a theater in Stuttgart in 2019. LKA has prepared an arrest warrant for Nikolay K., but he cannot be arrested unless he enters a company willing to cooperate with Germany. However, Nikolay K.’s most recent vacation was in Crimea.
Earlier this month, McAfee released a security report claiming that among the top ten attackers in the second quarter of 2021, REvil’s ransomware was responsible for more than 70% of ransomware detections.
REvil is most famous for its attack on the IT management platform Kaseya this summer, which affected hundreds of companies using its services. REvil asked for a ransom of 70 million US dollars to unlock the system encrypted by the REvil software.
The security organization later released these keys for free, and instructions on how to use them. REvil then temporarily disappeared, only to reappear later, resuming its attack using new software that could not be decrypted by the old key. According to reports, REvil even stole ransom money from customers who rented its software for their own attacks.