zephyr_p - stock.adobe.com

US seeks to extradite REvil affiliate who attacked Kaseya

US Department of Justice unseals charges against a Ukrainian national accused of being behind the summer 2021 REvil ransomware attack on Kaseya

The US government will attempt to extradite from Poland a Ukrainian national accused of being behind the 2 July 2021 REvil (aka Sodinokibi) ransomware attack on Kaseya, in a developing global crackdown on the cyber crime syndicate that has also seen two arrests made of gang affiliates in Romania.

In an indictment made in August, which was unsealed on Monday 8 November by US attorney general Merrick Garland at the Department of Justice (DoJ) in Washington DC, 22-year-old Yaroslav Vasinskyi, currently in custody, was charged with multiple cyber crime offences. He was apprehended on 8 October while trying to cross the border from Ukraine into Poland after the US issued an international arrest warrant.

“Cyber crime is a serious threat to our country – to our personal safety, to the health of our economy and to our national security,” said Garland. “Our message today is clear. The United States, together with our allies, will do everything in our power to identify the perpetrators of ransomware attacks, to bring them to justice, and to recover the funds they have stolen from their victims.”

At the same time, the DoJ announced the seizure of $6m (£4.4m/€5.2m) in funds that are allegedly linked to REvil ransom payments received by 28-year-old Yevgeniy Polyanin, who is accused of extorting $13m in a series of 3,000 REvil ransomware attacks across the US.

“Our message to ransomware criminals is clear: if you target victims here, we will target you,” said US deputy attorney general Lisa Monaco.

“The Sodinokibi/REvil ransomware group attacks companies and critical infrastructures around the world, and today’s announcements showed how we will fight back. In another success for the department’s recently launched Ransomware and Digital Extortion Task Force, criminals now know we will take away your profits, your ability to travel, and – ultimately – your freedom.

“Together with our partners at home and abroad, the department will continue to dismantle ransomware groups and disrupt the cyber criminal ecosystem that allows ransomware to exist and to threaten all of us.”

Both Vasinskyi and Polyanin are charged in separate indictments with conspiracy to commit computer fraud, damage to protected computers, and conspiracy to commit money laundering. If convicted, the men face maximum penalties of 115 and 145 years in prison, respectively.

Rapid7 chief data scientist Bob Rudis said: “REvil has caused massive damage during its tenure as the ‘Amazon’ of criminal ransomware-as-a-service [RaaS] operators. The Kaseya attack enabled by their platform was not a minor event and caused havoc in both meatspace and cyberspace, impacting families, schools, municipalities, healthcare providers, small businesses and large enterprises across the globe.

“It is encouraging to see what can be done when policy meets enablement and authorities are given support and resources to take decisive action. I am hopeful that as more criminals are caught and prosecuted, and as their ill-gotten gains are recovered, we will finally start to see attackers move on to other, less risky business models, or go away completely, but that is more of a dream than likelihood.”

The US Department of State today announced a $10m bounty for information leading to the identification or location of any of REvil’s leaders, and $5m for information leading to the arrest or conviction in any country of any individual conspiring to participate in, or attempting to participate in, a REvil attack. This is the second reward the US government has offered for information on ransomware operators, following last week’s targeting of the DarkSide group.

Meanwhile, the US Treasury’s Office of Foreign Asset Control (Ofac) has designated both Vasinskyi and Polyanin for their role in multiple REvil attacks on US targets, as well as a company owned by Polyanin. This means that any of their property or property interests which are subject to US jurisdiction have been blocked, and US citizens are prohibited from engaging in transactions with them, while any financial institutions that engage with them may expose themselves to sanctions or law enforcement action.

In a further action, Ofac has also designated the Chatex cryptocurrency exchange for facilitating financial transactions for multiple ransomware operators, and three other entities – Izibits Ou, Chatextech SIA and Hightrade Finance – for providing material support and assistance to Chatex, including setting up its IT infrastructure.

“Ransomware groups and criminal organisations have targeted American businesses and public institutions of all sizes and across sectors, seeking to undermine the backbone of our economy,” said deputy Treasury secretary Wally Adeyemo.

“We will continue to bring to bear all of the authorities at the Treasury’s disposal to disrupt, deter and prevent future threats to the economy of the United States. This is a top priority for the Biden administration.”

Read more about the end of REvil

2 July 2021: A REvil operative, allegedly Yaroslav Vasinskyi, demands a $70m ransom following an audacious heist on the systems of Kaseya.

14 July 2021: REvil’s infrastructure and its dark web leak site, the so-called Happy Blog, disappear without warning, prompting widespread speculation in the infosec community as to the group’s fate.

8 September 2021: REvil reappears following almost two months of inactivity, with a number of new ransomware attacks taking place.

16 September 2021: Bitdefender, along with law enforcement partners that we now know to have been involved in a major operation against REvil gang members, release a free decryptor tool to help its victims recover their data without paying.

22 October 2021: The US reveals that, working alongside other governments, it has hacked and taken down REvil’s infrastructure.

8 November 2021: Just hours before the DoJ’s formal indictment of Vasinskyi and Polyanin, Europol announces the arrest of two other REvil affiliates in Romania.

Read more on Hackers and cybercrime prevention