U.S. law enforcement officials this week announced the indictments of a Ukrainian national and a Russian citizen in connection with ransomware campaigns by the recently shuttered REvil cybercriminal group, including the high-profile attack on IT software vendor Kaseya earlier this year.
The indictments followed an announcement by European officials that they had arrested five REvil affiliates this year, plus two others linked to the GandCrab ransomware.
The U.S. Department of Justice said Yaroslav Vasinskyi, a 22-year-old from Ukraine, was charged in connection with attacks on Kaseya and other victims, while Yevgeniy Polyanin, 28, a Russian national, is accused of conducting ransomware attacks using the REvil (also known as Sodinokibi) ransomware against multiple entities, including businesses and government agencies in Texas in 2019.
The DOJ also seized $6.1 million in funds that were connected to ransoms that had been paid by victims and received by Polyanin.
Growing Law Enforcement Efforts
The arrests are the latest examples of U.S. law enforcement’s escalating efforts to stem the rising tide of ransomware and other attacks on companies and individuals in the United States. That has included the creation of a DOJ Ransomware and Digital Extortion Taskforce, which also includes other agencies within the department such as the FBI and the National Security Division.
It also comes less than a week after the State Department put a $10 million bounty on the leaders of the DarkSide cybercriminal organization that was responsible for the ransomware attack on Colonial Pipeline and $5 million for information leading to the arrest and conviction of anyone participating in an attack involving the DarkSide variant.
Like REvil, DarkSide had announced before the bounties were issued that it was shutting down due in part to pressure from law enforcement groups. BlackMatter, a Russia-based ransomware group that rose to prominence in the wake of DarkSide’s shuttering, also announced this month that it was closing operations for similar reasons.
There have been a number of other U.S. government actions on ransomware and other cybersecurity issues this year, including an executive order by President Biden and the inclusion of $1.9 billion in security funding in the recently passed U.S. infrastructure bill. Federal agencies have also taken a high profile in urging companies to patch vulnerabilities and take other ransomware protection steps.
Ransomware “attacks have targeted our critical infrastructure, law enforcement agencies, hospitals, schools, municipalities and businesses of all sizes,” U.S. Attorney General Merrick Garland said in prepared remarks after announcing the indictments. “Meeting this threat requires a whole-of-government approach. Together, with our partners, the Justice Department is sparing no resource to identify and bring to justice anyone, anywhere, who targets the United States with a ransomware attack.”
Along with the indictments against the Ukrainian and Russian suspects, the State Department also extended its reward offers to include up to $10 million for information that leads to the identification or location of top leaders of the REvil ransomware gang and up to $5 million to information that leads to the arrest or conviction of people who participated in REvil-related ransomware attacks.
Vasinskyi allegedly was responsible for the July 2 attack against Kaseya, deploying malicious REvil code in a Kaseya product led to the spreading of the REvil ransomware to endpoints on the networks of Kaseya users. Both defendants in their ransomware attacks demanded money from their victims and, if the ransom was paid, provided a decryption key to get back control of their data. If the ransom wasn’t paid, the threat actors posted the stolen data on the dark web or said they sold the stolen data to third parties.
Also read: Best Ransomware Removal Tools
Charges Include Extortion, Conspiracy
Vasinskyi was indicted Aug. 11 and charged with conspiracy to intentionally damage protected computers, damaging computers, and extortion. The indictment was kept sealed until this month. He was arrested Oct. 8 by Polish authorities after crossing into the country from Ukraine. He is being held in Poland pending an extradition hearing.
He is accused in his indictment of conducting a ransomware attack on a single company on May 21, 2019 and attacks on eight companies on July 2, 2021, including Kaseya.
Polyanin, the Russian national, faces similar charges in his indictment and is accused of conducting about 3,000 ransomware attacks and extorting about $13 million from his victims, according to Garland.
Deputy Attorney General Lisa Monaco said in a statement that authorities were “able to recover ransom by following the money. The career prosecutors and special agents of the FBI working with partners around the globe did some good old-fashioned detective work by chasing down digital leads, identifying infrastructure to dismantle and seizing funds.”
Attacks Likely to Continue
Hank Schless, senior manager of security solutions at cybersecurity firm Lookout, told eSecurity Planet that the DOJ tracking down Vasinskyi and Polyanin was encouraging and hopefully a sign that others also will be charged. Even if an attack can be attributed to a particular group, it’s “nearly impossible” to hunt down individual members of the group, he said.
Schless also warned that ransomware attacks will continue and that organizations need to protect themselves.
“The frequency of ransomware attacks is enabled by growth in the ransomware-as-a-service market,” he said. “RaaS like REvil enables threat actors who are affiliates of the ransomware groups that develop these services to execute sophisticated attacks with pre-built malware. This exemplifies how ransomware groups are becoming more operationally sophisticated. They run themselves like a small business by offering a service, figuring out a repeatable model and continuously reinvesting in new tactics and technology that create continued success of their product.”
Law enforcement agencies are making “considerable gains” in charging individuals and seizing ransom fees, according to Chris Morgan, senior cyberthreat intelligence analyst for security firm Digital Shadows. He pointed to the $2.3 million of cryptocurrency fees paid to the DarkSide group that were seized by U.S. authorities in June.
“While the numbers of arrests and funds seized are relatively low when considering the numbers of attacks occurring each week, it does represent a significant step in the right direction and a playbook that law enforcement can continue to follow,” Morgan told eSecurity Planet. “The tempo of law enforcement operations may already be having an impact on the confidence of ransomware groups.”
Ransomware Progress in Europe
REvil ransomware had been a particularly high-profile threat. According to Garland, the ransomware had been deployed on about 175,000 computers worldwide, with at least $200 million paid in ransom.
U.S. authorities aren’t the only ones who have seen some success in pursuing the REvil gang. In Europe – where large corporations had come under attack from the ransomware group since 2019 – Europol this week said that along with Vasinskyi, two other people alleged to be associated with REvil were caught in South Korea in February and April.
In all, seven people with suspected links to two ransomware families – including one called GandCrab – have been arrested since February. They are accused of attacking about 7,000 victims in all.
The arrests were part of Operation GoldDust, which involved law enforcement agencies Europol, Eurojust and InterPol and authorities from 17 countries, including France, Germany, Belgium, the UK, the United States and Australia. The initiative included identifying suspects, using wiretaps and seizing infrastructure used by REvil, which was seen as the successor of GandCrab.
In addition, tools and support from cybersecurity firms BitDefender, McAfee and KPN helped drive the No More Ransom website, which helped victims recover their data without having to pay a ransom.
Further reading: Best Backup Solutions for Ransomware Protection