On November 8, 2021, law enforcement agencies in both the United States and European Union announced that a series of actions, including a number of arrests, were taken against the Russia-linked ransomware group, “REvil.” The U.S. Department of Justice (the “DOJ”) unsealed documents relating to an August indictment against two individuals in Dallas for alleged involvement in REvil ransomware attacks against several U.S. businesses. The European authorities, Europol, also announced that police in Romania and South Korea had arrested five people alleged to be REvil affiliates.

“REvil,” short for “Ransowmare-Evil” is one of the world’s most infamous ransomware gangs. The group is accused of staging several attacks this year against major companies and organizations, including meat supplier, JBS S.A., and technology company, Kaseya. JBS paid an $11 million ransom while Kaseya said it declined to pay the hackers.

Europol’s arrest of REvil affiliates stemmed from an international investigation named GoldDust, which involved law enforcement agencies from 17 countries, including the U.S., the U.K., France and Germany. The alleged hackers are suspected of involvement in about 5,000 ransomware infections. Under the two Dallas indictments, the alleged hackers, a Ukrainian national and a Russian national, have been charged with conspiracy to commit fraud and money laundering, as well as other computer crimes, against several U.S. businesses. The DOJ also announced that it seized $6.1 million in ransom payments tied to one of the indicted hackers. The U.S. Treasury Department announced actions intended to disrupt ransomware attacks and virtual currency exchanges that launder the illicit proceeds. For example, it levied sanctions against the two indicted individuals, as well as Chatex, a Russian-linked cryptocurrency exchange that allegedly facilitated ransomware payments.