US charges 2, seizes more than $6 million as part of dragnet against REvil ransomware gang
The U.S. government announced a sweeping set of actions Monday targeting alleged REvil ransomware attackers in Europe, including an arrest, an indictment, seizure of more than $6 million in stolen money and new sanctions against a cryptocurrency exchange service and companies that support it.
Yaroslav Vasinksyi, a 22-year-old Ukrainian national, was arrested Oct. 8 as he crossed the border into Poland at the behest of US authorities, CyberScoop first reported Nov. 2. Vaskinskyi is accused of writing the code behind REvil malware, also known as Sodinokibi, which has become among the most virulent ransomware strains in use. U.S. Attorney General Merrick Garland said the malware has been “deployed” against roughly 175,000 computers worldwide, generating at least $200 million in extortion fees.
U.S. officials also announced criminal charges against Yevgeniy Polyanin, a Russian national. Along with the charges of conspiracy to commit fraud in connection with computers, intentional damage to a protected computer, and conspiracy to commit money laundering, officials also seized $6.1 million from Polyanin, as CNN first reported. Polyanin conducted roughly 3,000 ransomware attacks against organizations including law enforcement agencies and municipalities, and extorting roughly $13 million from his victims, Garland said during a press conference.
“We expect and hope that any government in which one of these ransomware actors is residing will do everything it can to provide that person to us for prosecution,” he said when asked whether U.S. authorities expected cooperation from Russia, where Polyanin is thought to reside.
The indictment against Vasinskyi — who is awaiting extradition in Poland — alleges 10 instances of breaking into victim computer networks in Texas. He’s also accused of being involved in the ransomware attack on Florida-based Kaseya, an IT and security management services firm. That attack led to as many as 1,500 breaches of Kaseya’s clients, such as schools in New Zealand, a major Swedish grocery chain, and two Maryland towns.
Along with the criminal charges and seizures, officials announced new U.S. Treasury sanctions against Chatex, a virtual currency exchange, and a trio of companies accused of helping Chatex operate. Chatex is accused of facilitating transactions for ransomware actors.
“When I met with President Putin in June, I made clear that the United States would take action to hold cybercriminals accountable,” President Joe Biden said in a statement issued after the press conference. “That’s what we have done today.”
The announcements Monday came hours after Europol disclosed that Romanian police had arrested two additional suspects in connection with REvil ransomware attacks. The enforcement actions are part of a coordinated, global push against ransomware attacks. The U.S. and other governments have hacked ransomware servers, hijacked traffic to effectively deny access to an extortion website, and, most recently, the U.S. State Department announced a $10 million bounty for information on the location of leaders of the DarkSide ransomware gang, and a $5 million bounty for information that least to the arrest or conviction of any affiliates of the group.
Garland — along with Deputy Attorney General Lisa Monaco and FBI Director Chris Wray — used Monday’s press conference to press Congress to mandate a national standard for significant cyber incidents. Garland said the “failure to timely report … puts other potential victims into jeopardy,” and deprives investigators from information that can aid their work. To that end Congress should “require that the reported information be shared immediately with the Justice Department.”
Monaco said this “is the reason you want to work with law enforcement,” referring to companies or organizations hit with ransomware. “Know that if you pick up the phone, and if you call the FBI, this team is waiting for you on the other end of the line.”
Congress is currently settling on cyber incident reporting requirements for the owners and operators of critical infrastructure, but that law doesn’t include a reporting requirement to the Department of Justice.
Updated, 11/8/21: To include a statement from President Biden.