REvil Ransomware Gang Leader Identified

German investigators have identified a deep-pocketed, big-spending Russian billionaire whom they suspect of being a core member of the REvil ransomware gang. The billionaire is has been named as  Nikolay K by German law enforcement agencies.

German police discovered Nikolay’s email address, which was also used to register to over 60 websites, along with his phone number that is associated with a Telegram account. This account was used for legitimate crypto-trading activities, but the investigation into some of the transactions revealed that some of them were associated to ransom payments.

Nikolay K claims to be a trader of crypto currencies in social networks. The man lives in Russia and enjoys  a luxurious lifestyle. German police are said to be aware of the suspect's true identity and location, which is reportedly somewhere in southern Russia "in a house with a swimming pool" and with an expensive BMW parked outside.

According to the German media investigators, the State Criminal Police Office in Baden-Württemberg (LKA) are convinced that Nikolay K. is part of the core group that operate a ransomware-as-a-service operation. Furthermore, these investigators think that it was REvil who ran the Colonial Pipeline attack, rather than the ransomware group DarkSide who have been named as the perpetrators by US authorities. 

The German Federal Office for Information Security (BSI) classifies REvil as “one of the most dangerous programs in the field,” according to Zeit Online. Its report cites multiple attacks carried out by the gang in Germany, including a 2019 attack against a Germany IT company that serves doctors’ offices and hospitals that forced several clinics offline and into emergency operations.

The LKA is now reportedly following the Bitcoin trail of that attack, during which the theater is thought to have paid a 15,000 euro ransom in crypto currency. 

In order to track down of REvil’s leadership, reporters with Bayerischer Rundfunk and Zeit Online spent months tracing the suspect’s digital tracks through anonymous Telegram channels and crypto currency payments. They searched for the name he uses on social media, found an associated email address used to register multiple websites, and looked into Russia mobile phone numbers associated with the sites. One of the numbers led them a Telegram account on which a Bitcoin address was published, an address to which more than 400,000 euros have been paid in Bitcoin. “The reporters were able to establish that bitcoin was transferred on at least six occasions from accounts connected to criminal enterprises to an address that most likely belongs to Nikolay K,” according to the report.

If Nikolay K, is really part of the leadership of the REvil operation, he would be very unwise to step outside of Russia’s border without risking immediate arrest.

A Russian cyber criminal who collaborated with leading hacker groups, in an interview with Russian media said the latest changes in the balance of power on the Dark Net had made REvil scared of being exposed, he said. The "Russian hacker" did not rule out that members of the REvil group took a two-month "vacation" to ensure their safety. They were prompted to do this by the disappearance of one of the active supporters of the unification.

Reuters:     Threatpost:     The Register:     Lenta:     Oodaloop:     InfosecToday:   

AllTech News:    Metacurity:    Security Affairs:  

You Might Also Read:

DarkSide May Not Stay Dark For Long:

 

« New US National Cyber Director
UAE Central Bank's New Cyber Security Centre »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

UK Cyber Week Expo & Conference

UK Cyber Week Expo & Conference

Award-winning event organiser ROAR B2B announces the launch of UK Cyber Week and its inaugural event on 4 and 5 April 2023 at the Business Design Centre, London.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

BackupVault

BackupVault

BackupVault is a leading provider of completely automatic, fully encrypted online, cloud backup.

Information Risk Management (IRM)

Information Risk Management (IRM)

IRM is an international consultancy dedicated to helping organisations solve key business issues. We provide strategic cyber security advice across a wide range of sectors.

Bundesdruckerei

Bundesdruckerei

Bundesdruckerei specializes in secure identity technologies and services for protecting sensitive data, communications and infrastructures.

CTR Secure Services

CTR Secure Services

CTR Secure Services provides a broad range of security consulting services from asset protection to cyber security.

GE Digital

GE Digital

GE Digital is a leading software company for the Industrial Internet. Products include Industrial Cyber Security for Operational Technology (OT).

Secret Double Octopus

Secret Double Octopus

Secret Double Octopus offers the world’s only keyless multi-shield authentication technology for users and things.

Trusted Knight

Trusted Knight

Trusted Knight is a leading provider of security software solutions focused on defeating newly developed malware and crimeware trojans.

Government CSIRT - Chile

Government CSIRT - Chile

Government CSIRT is the Computer Security Incident Response Team for State networks and government cyberspace in Chile.

Featurespace

Featurespace

Featurespace is a world-leader in Adaptive Behavioural Analytics and creator of the ARIC™ platform for fraud and risk management.

CMMI Institute

CMMI Institute

CMMI Institute enables organizations to elevate and benchmark performance across a range of critical business capabilities, including product development, data management and cybersecurity.

SaltStack

SaltStack

SaltStack develops award-winning intelligent IT automation software. We help businesses more efficiently secure and manage all aspects of their digital infrastructure.

riskmethods

riskmethods

riskmethods helps you proactively identify, assess and mitigate supply chain risk. You need to master supply chain risk management—we can help.

Scrut Automation

Scrut Automation

Scrut Automation's mission is to make compliance less painful and time consuming, so that businesses can focus on running their business.

Testhouse Ltd

Testhouse Ltd

Testhouse is a thought leader in the Quality Assurance, software testing and DevOps space. Founded in the year 2000 in London, UK, with a mission to contribute towards a world of high-quality software

Novacoast

Novacoast

Novacoast helps organizations find, create & implement solutions for a powerful security posture through advisory, engineering, development & managed services.

Pillar Technology Partners

Pillar Technology Partners

Pillar Technology Partners is an Information Security Company with a focus on improving Cyber Risk and optimizing the processes and technology that underpin the security of your information assets.

Vanta

Vanta

Vanta helps companies scale security practices and automate compliance for the industry’s most sought after standards - SOC 2, ISO 27001, HIPAA, GDPR, and other security and privacy frameworks.