The United States continues to make good on its promise to go after cyber attackers, with the latest move the unsealing of charges against two people allegedly deploying Sodinokibi/REvil ransomware to attack businesses and government entities in the United States.
Yaroslav Vasinskyi, 22, a Ukrainian national, being held now in Poland, is named in an indictment, accused of conducting ransomware attacks against multiple victims, including the July attack against Kaseya.
Vasinskyi was taken into custody on Oct. 8 in Poland, where he is being held pending an extradition hearing to the United States. In parallel with the arrest, the U.S. Justice Department said, interviews and searches were carried out in multiple counties. A news report last month said Vasinskyi was arrested in a village on the Ukraine-Polish border. Today the U.S. said his arrest would not have been possible without the rapid response of the National Police of Ukraine and the Prosecutor Governor’s Office of Ukraine.
The department also announced today the seizure of US$6.1 million in funds traceable to alleged ransom payments received by Yevgeniy Polyanin, 28, a Russian national, who is also charged with conducting Sodinokibi/REvil ransomware attacks against multiple victims, including businesses and government entities in Texas in 2019. It isn’t clear where Polyanin is now.
The Bleeping Computer news service notes that in a space of five months, seven affiliates of the REvil gang have been arrested.
As part of the latest indictments, the U.S. credited a number of law enforcement agencies around the world with their help, including the RCMP.
“Cybercrime is a serious threat to our country, to our personal safety, to the health of our economy, and to our national security,” U.S. Attorney General Garland said in a statement. “Our message today is clear. The United States, together with our allies, will do everything in our power to identify the perpetrators of ransomware attacks, to bring them to justice, and to recover the funds they have stolen from their victims.”
According to court documents, Vasinskyi was allegedly responsible for the July 2 ransomware attack against Kaseya. In the alleged attack, the U.S. says Vasinskyi caused the deployment of Sodinokibi/REvil code through a Kaseya product that caused it to spread the ransomware to customers around the world.
Vasinskyi and Polyanin are charged in separate indictments with conspiracy to commit fraud and related activity in connection with computers, substantive counts of damage to protected computers, and conspiracy to commit money laundering.
If convicted of all counts, each faces a maximum penalty of 115 and 145 years in prison, respectively.
Among those who commented on the arrests was Andy Bennett, currently chief information security officer (CISO) of Apollo Information Systems, who was part of a team that had to respond to the Texas attacks. “I could not be happier to see these particular threat actors brought to justice,” he said in a statement, “as it was REvil/Sodin who hit 23 local governments in Texas in August of 2019. I was the incident commander for that incident, and we did not pay the ransom. I don’t know if information gathered from our incident contributed materially to this success, but I would like to think that we did our part.”
“The significance of these arrests is that ransomware just became a high-risk activity,” he added. “Up to this point, ransomware was a relatively low risk, high reward proposition for enterprising criminals. It was seen, even by law enforcement, as nearly impossible to catch and prosecute ransomware gangs operating in Eastern Europe and other parts of the world due to difficulties in tracking and controlling cryptocurrencies used for payment and massive procedural and jurisdictional hurdles. Clearly, these are no longer showstoppers and it will definitely put the rest of the ransomware gangs on edge and on notice that they could be next. REvil was one of the most prolific ransomware gangs and they were virtually untouchable, until now.”