{
	"id": "6be34942-e699-4e0d-8b90-fc6dfdeeb0a7",
	"created_at": "2026-04-06T00:22:29.298159Z",
	"updated_at": "2026-04-10T03:20:56.675633Z",
	"deleted_at": null,
	"sha1_hash": "faee87f2c2a6c74c37e40473c50a6d8a5ed77deb",
	"title": "Five affiliates to Sodinokibi/REvil unplugged",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 848404,
	"plain_text": "Five affiliates to Sodinokibi/REvil unplugged\r\nBy Europol\r\nPublished: 2021-11-08 · Archived: 2026-04-05 16:07:03 UTC\r\nUpdated on 8 November at 18:30\r\nOn 4 November, Romanian authorities arrested two individuals suspected of cyber-attacks deploying the\r\nSodinokibi/REvil ransomware. They are allegedly responsible for 5 000 infections, which in total pocketed half a\r\nmillion euros in ransom payments. Since February 2021, law enforcement authorities have arrested three other\r\naffiliates of Sodinokibi/REvil and two suspects connected to GandCrab. These are some of the results of operation\r\nGoldDust, which involved 17 countries*, Europol, Eurojust and INTERPOL. All these arrests follow the joint\r\ninternational law enforcement efforts of identification, wiretapping and seizure of some of the infrastructure used\r\nby Sodinokibi/REvil ransomware family, which is seen as the successor of GandCrab.\r\nAnti-REvil team set up in Europe\r\nSince 2019, several large international corporations have faced severe cyber-attacks, which deployed the\r\nSodinokibi/REvil ransomware. France, Germany, Romania, Europol and Eurojust reinforced the actions against\r\nthis ransomware by setting up a Joint Investigation Team in May 2021. Bitdefender, in collaboration with law\r\nhttps://www.europol.europa.eu/media-press/newsroom/news/five-affiliates-to-sodinokibi/revil-unplugged\r\nPage 1 of 3\n\nenforcement, made a tool available on the No More Ransom website that would help victims of Sodinokibi/REvil\r\nrestore their files and recover from attacks made before July 2021. In the beginning of October, a\r\nSodinokibi/REvil affiliate was arrested at the Polish border after an international arrest warrant was issued by the\r\nUS. The Ukrainian national is suspected of perpetrating the Kaseya attack, which affected up to 1 500 downstream\r\nbusinesses and for which Sodinokibi/REvil asked a ransom of about €70 million. Additionally, in February, April\r\nand October 2021 authorities in South Korea arrested three affiliates involved in the GandCrab and\r\nSodinokibi/REvil ransomware families, which had more than 1 500 victims. On 4 November, Kuwaiti authorities\r\narrested another GandGrab affiliate, meaning a total of seven suspects linked to the two ransomware families have\r\nbeen arrested since February 2021. They are suspected of attacking about 7 000 victims in total.\r\nGoldDust’ links to GandCrab \r\nSince 2018, Europol has supported a Romanian-led investigation which targets the GandCrab ransomware family\r\nand involved law enforcement authorities from a number of countries, including the United Kingdom and the\r\nUnited States. With more than one million victims worldwide, GandCrab was one of the world’s most prolific\r\nransomware families. These joint law enforcement efforts resulted in the release of three decryption tools through\r\nthe No More Ransom project, saving more than 49 000 systems and over €60 million in unpaid ransom so far. The\r\ninvestigation also looked at the affiliates of GandCrab, some of whom are believed to have moved towards\r\nSodinokibi/REvil. Operation GoldDust was also built up on leads from this previous investigation targeting\r\nGandCrab.\r\nDecrypt with No More Ransom\r\nThe support from the cybersecurity sector has proven crucial for minimising the damage from ransomware\r\nattacks, still the biggest cybercrime threat. Many partners have already provided decryption tools for a number of\r\nransomware families via the No More Ransom website. Bitdefender supported this investigation by providing key\r\ntechnical insights throughout the entire investigation, along with decryption tools for both of these highly prolific\r\nransomware families to help victims recover their files. KPN and McAfee Enterprises are other private sector\r\npartners that have also supported this investigation, by providing technical expertise to law enforcement.\r\nCurrently, No More Ransom has decryption tools for GandCrab (V1, V4 and V5 up to V5.2 versions) and for\r\nSodinokibi/REvil. The Sodinokibi/REvil decryption tools helped more than 1400 companies decrypt their\r\nnetworks, saving them almost €475 million in potential losses. The tools made available for both ransomware\r\nfamilies enabled more than 50 000 decryptions, for which cybercriminals had asked about €520 million in ransom.\r\nEuropol’s support\r\nEuropol facilitated the information exchange, supported the coordination of operation GoldDust and provided\r\noperational analytical support, as well as cryptocurrency, malware and forensic analysis. During the action days,\r\nEuropol deployed experts to each location and activated a Virtual Command Post to coordinate the activities on\r\nthe ground. The international cooperation enabled Europol to streamline victim mitigation efforts with other EU\r\ncountries. These activities prevented private companies from falling victim to Sodinokibi/REvil ransomware.\r\nhttps://www.europol.europa.eu/media-press/newsroom/news/five-affiliates-to-sodinokibi/revil-unplugged\r\nPage 2 of 3\n\nThe Joint Cybercrime Action Taskforce (J-CAT) at Europol supported the operation. This standing operational\r\nteam consists of cyber liaison officers from different countries who work from the same office on high profile\r\ncybercrime investigations.\r\n*Participant countries: Australia, Belgium, Canada, France, Germany, the Netherlands, Luxembourg,  Norway,\r\nPhilippines, Poland, Romania, South Korea, Sweden, Switzerland, Kuwait, the United Kingdom, the United States\r\n* Participating organisations: Europol, Eurojust and Interpol\r\nHeadquartered in The Hague, the Netherlands, Europol supports the 27 EU Member States in their fight against\r\nterrorism, cybercrime, and other serious and organised crime forms. Europol also works with many non-EU\r\npartner states and international organisations. From its various threat assessments to its intelligence-gathering and\r\noperational activities, Europol has the tools and resources it needs to do its part in making Europe safer.\r\nEmpact\r\nThe European Multidisciplinary Platform Against Criminal Threats (EMPACT) tackles the most important threats\r\nposed by organised and serious international crime affecting the EU. EMPACT strengthens intelligence, strategic\r\nand operational cooperation between national authorities, EU institutions and bodies, and international partners.\r\nEMPACT runs in four-year cycles focusing on common EU crime priorities.\r\nSource: https://www.europol.europa.eu/media-press/newsroom/news/five-affiliates-to-sodinokibi/revil-unplugged\r\nhttps://www.europol.europa.eu/media-press/newsroom/news/five-affiliates-to-sodinokibi/revil-unplugged\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.europol.europa.eu/media-press/newsroom/news/five-affiliates-to-sodinokibi/revil-unplugged"
	],
	"report_names": [
		"revil-unplugged"
	],
	"threat_actors": [],
	"ts_created_at": 1775434949,
	"ts_updated_at": 1775791256,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/faee87f2c2a6c74c37e40473c50a6d8a5ed77deb.pdf",
		"text": "https://archive.orkl.eu/faee87f2c2a6c74c37e40473c50a6d8a5ed77deb.txt",
		"img": "https://archive.orkl.eu/faee87f2c2a6c74c37e40473c50a6d8a5ed77deb.jpg"
	}
}