A global police operation has dealt a devastating blow to one of the most prolific cyber-crime gangs in history.
The co-ordinated action against the REvil gang was announced on Monday by Romanian police, the US Department of Justice (DOJ) and Europol.
The raids, which took place both on and offline, led to the arrests of two alleged hackers in Romania and one from Ukraine.
REvil has been blamed for major hacks on global businesses in recent years.
The US also announced that it had successfully retrieved more than $6m (£4m) in cryptocurrency from the gang in a so-called “claw back” hacking operation.
For the last three years REvil – which used to call itself GandCrab and is also known as Sodinikobi – has been attacking businesses and institutions around the world.
Europol’s operation, named GoldDust, was set up specifically to tackle the group. Since February the operation has led to 7 arrests of the hacker gang in total in Romania, Ukraine, South Korea and Kuwait.
Officers allege that the two Romanians arrested on November 4th infected 5,000 victims and pocketed half a million euros in ransom payments.
In recent weeks the leaders of REvil announced that pressure from authorities had forced them to shut down operations.
Back in May, REvil’s ransomware targeted the world’s largest meat processor, JBS SA, disrupting meat production for several days. The company ultimately paid $11m to the hackers.
The group’s malware also caused months of disruption to foreign exchange company Travelex, which had all computer systems offline for weeks.
Most recently, the gang successfully hacked Florida-based software firm Kaseya which subsequently infected up to 1,500 businesses around the world.
The US Treasury Department said more than $200m in ransom payments were paid in Bitcoin and Monero in the attack.
The DOJ says Yaroslav Vasinskyi, 22, a Ukrainian man arrested in Poland last month, was responsible and has indicted him. The US is seeking to extradite him for trial in America.
Another alleged REvil operative, Russian Yevgeniy Polyanin, 28, has also been charged by the US with conspiracy to commit fraud, and conspiracy to commit money laundering, among other charges.
Russia is unlikely to extradite its own citizen to the US, so Mr Polyanin is expected to join a growing list of wanted alleged Russian hackers.
The Treasury Department added that the two men face sanctions for their alleged role in ransomware incidents in the United States.
Court documents also accused a virtual cryptocurrency exchange called Chatex of “facilitating financial transactions for ransomware actors”.
FBI Director Christopher Wray told reporters on Monday: “The long arm of the law reaches a lot further than they think.
‘The cyber threat is daunting, but when we combine the right people, the right tools and the right authority, our adversaries are no match for what we can accomplish together.”
A big day for cyber-security
Good news is rare in cyber-security, especially in the last 18 months when the surge in ransomware attacks has targeted everything from public institutions to schools and hospitals.
But this is unequivocally great news.
REvil was probably the most prolific and dangerous cyber-crime gang ever and they’ve operated with complete confidence and arrogance.
Not only were their attacks indiscriminate, they had a website they sarcastically called their “Happy Blog” where they would name and shame victims who didn’t pay their ransoms.
They even had a live chat portal and were happy to brag about their work to reporters like me.
This multinational police operation is extremely impressive in its coordination and aggression and shows just what can be done to attack these cyber-criminals on all fronts.
This is probably the end of REvil, and along with other recent success stories, it feels like a turning point in the fight against ransomware.
But with many of the criminal gangs thought to be operating in Russia immune from prosecution, it likely won’t be the end just yet.