German researchers have identified a Russian man as a core member of the REvil ransomware gang, one of the most known and successful ransomware groups in recent years and infected hundreds of businesses around the world. On July 2nd, The group attached the Kaseya cloud based MSP platform and affecting their clients demanding $70 million in Bitcoin to decode all compromised systems.
After tracking some of the Bitcoin payments he made over the years, Authorities (including the Bundeskriminalamt and Landeskriminalamt Baden-Württemberg) believe he is neither a cryptocurrency investor or seller. While the suspect’s true identity is unknown, German press are calling to him as ‘Nikolay K.,’ and reporting that investigators have linked him to Bitcoin ransom payments linked to the GandCrab ransomware gang.
Another victim was the Stuttgart State Theaters.
Experts explained by the evaluation of Bitcoin payments as ,“More than 60 websites were registered with this, some with authentic contact information, such as cell phone numbers. That comes from a database of the IT security company Domaintools. One of these cell phone numbers is linked to a Telegram account that supposedly specializes in trading cryptocurrencies. Payments worth almost 400,000 euros were transferred to a Bitcoin address specified there. These payments probably originate from ransomware incidents.
The group’s members have been extra careful since the raid on REvil’s infrastructure two weeks ago, but Nikolay appears to have been unaware of how close the police were to arresting him. Nikolay’s wife went on a vacation this summer, while the ransomware culprits stayed in Russia, possibly to prevent any unexpected arrests while on foreign.
As per german experts, REvil operations are linked to a crypto millionaire.