Ukrainian cuffed, faces extradition to US for allegedly orchestrating Kaseya ransomware infection
American, European officials announce raft of arrests, indictments, sanctions, rewards
In a major ransomware bust US and European authorities on Monday announced separate but related indictments and arrests linked to extortionware attacks on IT service provider Kaseya and other firms.
Europol said Romanian police last week arrested two individuals suspected of involvement in cyberattacks that utilized the Sodinokibi/REvil ransomware. The unidentified individuals are said to have played a role in at least 5,000 malware infections that brought them half a million Euros in ransom payments.
The arrests, the European police agency said, are part of Operation GoldDust, which spanned 17 countries. In February, Euro cops nabbed three other individuals said to be affiliated with Sodinokibi/REvil and two people suspected of involvement with a ransomware family known as GandCrab.
Meanwhile, the US Justice Department on Monday held a press conference at which officials announced the seizure of $6.1m in ransomware payments and the indictment of two individuals, Ukrainian national Yaroslav Vasinskyi and Russian national Yevgeniy Polyanin, for allegedly conducting Sodinokibi/REvil attacks.
Vasinskyi, 22, was charged on August 11 in a now-unsealed indictment [PDF] with 11 felony counts, including conspiracy to commit fraud and to commit money laundering and intentional damage to a protected computer. After entering Poland on October 8, he was arrested, and the US is seeking his extradition.
Kaseya, the IT service provider thoroughly owned by REvil this year, is said to be among Vasinskyi's victims.
Polyanin, 28, was charged on August 24 in a now unsealed indictment [PDF] with 14 similar felony counts. He remains at large, and has had millions of dollars in funds, said to be traced to ransom payments, seized.
"The arrest of Yaroslav Vasinskyi, the charges against Yevgeniy Polyanin and seizure of $6.1 million of his assets, and the arrests of two other Sodinokibi/REvil actors in Romania are the culmination of close collaboration with our international, US government and especially our private sector partners," said FBI Director Christopher Wray in a statement.
"Our message to ransomware criminals is clear: If you target victims here, we will target you," said US Deputy Attorney General Lisa Monaco, in a statement. "The Sodinokibi/REvil ransomware group attacks companies and critical infrastructures around the world, and today’s announcements showed how we will fight back."
- Report shines light on REvil's depressingly simple tactics: Phishing, credential-stuffing RDP servers... the usual
- Reward! Uncle Sam promises $10m for info about DarkSide ransomware gang chiefs
- BlackMatter ransomware gang says it's disbanding – again – after Ukraine arrests
- Labour Party supplier ransomware attack: Who holds ex-members' data and on what legal basis?
The US Treasury Department has issued sanctions against Vasinskyi and Polyanin, as well as four cryptocurrency businesses: Chatex, for facilitating ransomware transactions, and IZIBITS OU, Chatextech SIA, and Hightrade Finance Ltd, for providing the infrastructure that enabled Chatex.
The Biden administration has made a concerted effort to target cybercriminals who use ransomware to disrupt US commerce and infrastructure. So far, while US allies have tried to coordinate their enforcement operations, China and Russia haven't shown similar enthusiasm for cooperating.
Nonetheless, some progress is being made. For example, South Korean authorities recently extradited a Russian national said to be involved with Trickbot, a banking trojan with ransomware capabilities.
The US Department of State on Monday announced "a reward of up to $10m for information leading to the identification or location of any individual holding a key leadership position in the Sodinokibi ransomware variant transnational organized crime group." And there's an additional $5m offered for information that leads to an arrest and/or conviction.
The State Department last week made a similar $10m/$5m reward offer for information leading to the identification of location and to the arrest and/or conviction of the leaders of the DarkSide ransomware operation, which is said to have been used to attack the Colonial Pipeline Company in May 2021. ®