Romanian authorities have arrested two men suspected of using the REvil Windows ransomware in some 5000 attacks, the Europol police agency said.
Europol released a statement on Monday saying that the two suspects were taken into custody by Romanian authorities on Nov. 4.
Romania’s anti-organized crime unit said they were detained in the Black Sea port of Constanta and a Bucharest court ordered they remain in custody for 30 days. Authorities took away laptops and mobile phones.
They’re allegedly responsible for 5,000 ransomware infections, which resulted in half a million euros in ransom payments.
Another five men have been arrested since February, three suspected of having used REvil and two others of using GandCrab, a precursor of REvil, in ransomware attacks, the Eurpol statement said.
Seventeen countries were involved in the operation, known as GoldDust. They are: Australia, Belgium, Canada, France, Germany, the Netherlands, Luxembourg, Norway, the Philippines, Poland, Romania, South Korea, Sweden, Switzerland, Kuwait, the UK and the U.S.
Interpol and Eurojust were also part of the takedown, ITWire reported.
„In the beginning of October, a Sodinokibi/REvil affiliate was arrested at the Polish border after an international arrest warrant was issued by the US,” the Europol statement said.
„The Ukrainian national is suspected of perpetrating the Kaseya attack, which affected up to 1500 downstream businesses and for which Sodinokibi/REvil asked a ransom of about €70 million.
Europol said at the time the two were suspected of a number of attacks against big European and North American targets from April 2020 onwards.
The arrests are in addition to three other suspected affiliates of the notorious Russian-led criminal gang and two suspects connected to GandCrab, an earlier ransomware crime group, arrested earlier this year, Europol said.