REvil gang member identified living luxury lifestyle in Russia, says German media

German news outlets claim to have identified a member of the infamous REvil ransomware gang – who reportedly lives the life of Riley off his ill-gotten gains.

The gang member, nicknamed Nikolay K by Die Zeit newspaper and the Bayerische Rundfunk radio station, reportedly owns a €70,000 watch with a Bitcoin address engraved on its face and rents yachts for €1,300 a day whenever he goes on holiday.

"He seems to prefer T-shirts from Gucci, luxurious BMW sportscars and large sunglasses," reported Die Zeit, which partly identified him through social media videos posted by his wife.

"This video," said the newspaper regarding the €1,300/day yacht trip, "is from Antalya, on the south coast of Turkey, but others have come from a five-star hotel in Dubai, from the Crimean Peninsula, or even from the Maldives."

German police are said to be aware of the suspect's true identity and location, which is reportedly somewhere in southern Russia "in a house with a swimming pool" and with an expensive BMW parked outside. The report added that "Nikolay" might have detected the Western investigations against him, noting that his last holiday was to the Russian-occupied Crimean peninsula. If he travels to a country with a German extradition treaty police will attempt to remove him to their country, the newspaper added.

Emsisoft researcher Brett Callow told The Register the identification of "Nikolay" was a great thing, saying: "Ransomware gangs have had it easy for too long, with the risk/reward ratio being very much on their side. But that's starting to change."

He continued: "Diplomatic measures, law enforcement action and joint public-private efforts are combing to disrupt the crims' operations and interrupt their revenue streams. And this is a critical part of solving the ransomware problem. The more we can increase their risks and decrease their rewards, the less incentive they'll have to carry on crimming."

REvil is one of the more notorious ransomware gangs of our time. After its recent activity, which included targeting US IT management software provider Kaseya, its websites went offline in July. A few months after their reappearance they went dark again, with the US boasting that a multi-country cyber operation was the reason behind the latest vanishing act. (British officials refused to comment when El Reg asked if they were involved.)

• Unhappy customers and their own tricks used against them, REvil ransomware gang reportedly pulled offline by 'multi-country' operations
• REvil customers complain ransomware gang uses backdoors to filch ransoms
• Ransomware crim: Yeah, what I do is bad. No, I don't care. Yes, infosec bods are all mouth and no trousers

The extortion gang's tactics include simple attack techniques that have been known about for years. Once they're inside a victim's network, they deploy their ransomware, encrypt everything they can touch and leave a ransom note inviting the target to contact them through a messaging platform controlled by the gang. From there the extortionists demand a hefty payment in cryptocurrency in return for supplying a decryptor.

A few weeks ago somebody claiming to be a REvil contractor gave an interview to a Russian-language news outlet, painting a mundane picture of someone who knows he's doing bad things and doesn't really care either way. The gang has a ransomware-as-a-service operation, though some of its criminal customers have moaned that they did all the hard work only for REvil to divert the ransom out of their hands. ®