Suspected REvil Gang Insider Identified

German investigators have identified a deep-pocketed, big-spending Russian billionaire whom they suspect of being a core member of the REvil ransomware gang.

He lolls around on yachts, wears a luxury watch with a Bitcoin address engraved on its dial, and is suspected of buying it all with money he made as a core member of the REvil ransomware gang.

The showy billionaire goes by “Nikolay K.”on social media, and German police are hoping he’ll cruise out of Russia on his next vacation – preferably, to a country with a cooperation agreement with Germany so they can arrest him. In case he decides to kick back somewhere other than sunny Crimea, they’ve got an arrest warrant waiting for him.

According to a joint investigation by the German media outlet Zeit Online and the German public broadcaster Bayerischer Rundfunk, investigators from Germany’s Baden-Württemberg State Criminal Police Office (LKA) are convinced that Nikolay K. is part of the core group that operate the ransomware-as-a-service (RaaS) player REvil, aka Sodinokibi.

It’s Rare to Snare a Ransomware Gang’s Big Fish

It wouldn’t be the first time that ransomware operators were collared, but we don’t typically see police nab the bigwigs. For example, in September, two members of an unidentified ransomware gang (suspected to be REvil) were arrested in Ukraine following a joint international law enforcement operation. In January, a Canadian man was arrested and charged in the U.S. with NetWalker – another RaaS – ransomware attacks.

Infosec Insiders Newsletter

Those were reportedly small fish, though, as in, the affiliates who rent malware from the actual criminal group and then cut them in for a portion of whatever extortion payment they collect. (Payments that REvil operators cheated their affiliates out of via a backdoor and double chats, inserting themselves between a victim and an affiliate so that the gang could pocket the whole enchilada.)

Germany’s Grudge Against REvil

REvil’s notorious. Its victim list has included Kaseya and its many managed service provider (MSP) customers, the global meat supplier JBS Foods, and even, audaciously enough, Apple.

True, REvil‘s steadily lost clout as a moustache-twirling villain. Twice now it’s had its servers shoved offline, once in July, in mysterious circumstances that the underground and the overground are still debating, and again last week by governments.

According to Reuters, which broke the news about last week’s law enforcement move against the gang, REvil’s also behind the Colonial Pipeline attack, as opposed to a culprit presumed to be a ransomware group named DarkSide.

Still and all, the German Federal Office for Information Security (BSI) classifies REvil as “one of the most dangerous programs in the field,” according to Zeit Online. Its report cites multiple nasty attacks carried out by the gang In Germany, including a 2019 attack against a Germany IT company that serves doctors’ offices and hospitals that forced several clinics offline and into emergency operations.

REvil’s also behind a 2019 attack on a Stuttgart theater in which a reportedly earlier version of REvil – Gandcrab, which shuttered operations in 2019 – was used.

The LKA is now reportedly following the Bitcoin trail of that attack, during which the theater is thought to have paid a 15,000 euro ransom in cryptocurrency.

Tracing the Untraceable

In order to track down the Russian billionaire who could turn out to be part of REvil’s leadership, reporters with Bayerischer Rundfunk and Zeit Online spent months tracing the suspect’s digital tracks through anonymous Telegram channels and cryptocurrency payments. They searched for the name he uses on social media, found an associated email address used to register multiple websites, and looked into Russia mobile phone numbers associated with the sites.

One of the numbers led them a Telegram account on which a Bitcoin address was published – an address to which more than 400,000 euros have been paid in Bitcoin.

“The reporters were able to establish that bitcoin was transferred on at least six occasions from accounts connected to criminal enterprises to an address that most likely belongs to Nikolay K,” according to the report.

Come Out, Come Out, Wherever You Are

The LKA investigators from Stuttgart are reportedly monitoring social media closely, in hopes that Nikolay K. will trip up.

Investigators aren’t the only ones who keep a close eye on social media and headlines, of course: When governments took down the gang’s leak site and Tor payment site last week, a top leader – 0_neday – knew that the server had been compromised.

0_neday took to the XSS criminal forum, writing that the server had been hacked and that they were exiting stage left:

The server had been hacked, and they were on the lookout for me. They removed the route of my secret service from the torrc file and replaced it with their own, causing me to go there. I double-checked with others, and this was not the case. Good luck to everyone; I’m leaving now.” —0_neday’s post to the XSS forum.

Good luck with this one, LKA: REvil may have slipped up multiple times – and been caught at it – recently but if Nikolay K, is really part of the brains of the REvil operation, he presumably smart enough not to step outside of Russia’s border anytime soon.

Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.

Suggested articles