Security news that informs and inspires

Alleged REvil Operator Extradited to U.S.


The Ukrainian man who United States authorities allege is responsible for the REvil ransomware attack on software maker Kaseya last summer is now in the U.S. and has been arraigned on money laundering and fraud charges in connection with the attack.

Authorities in Poland arrested Yaroslav Vasinskyi in November at the behest of U.S. officials and he remained in custody there until last week when he was transported to Texas to face charges and was arraigned Wednesday.

“Just eight months after committing his alleged ransomware attack on Kaseya from overseas, this defendant has arrived in a Dallas courtroom to face justice,” said Deputy Attorney General Lisa Monaco. “When we are attacked, we will work with our partners here and abroad to go after cybercriminals, wherever they may be.”

The Kaseya intrusion in July was one of the more damaging and high-profile ransomware attacks in recent memory. The attackers exploited a flaw in the Kaeya Virtual Server Administration (VSA) product and gained access to the servers at some managed services providers and from there were able to deploy the REvil ransomware on the networks of hundreds of customers of those MSPs. As a result of the incident, Kaseya was forced to take the VSA service offline for some time before eventually restoring it.

"The United States, alongside our international partners, will continue to swiftly identify, locate, and apprehend alleged cybercriminals."

The attack had widespread effects on customers and the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) began investigating it immediately. Within a few months, the Department of Justice announced indictments against Vasinskyi and Yevgeniy Polyanin, a Russian. The department also seized $6 million in ransom payments as part of that operation, which was done in conjunction with authorities in Poland and elsewhere.

The REvil ransomware operation has been the focus of intense scrutiny by U.S. authorities for several years and in addition to the indictments in the Kaseya intrusion, the Department of Justice has had some other successes against the group recently. In January, Russian authorities arrested 14 alleged REvil members and seized hundreds of thousands of dollars in cash, cryptocurrency, vehicles, and other items. That raid was carried out after sustained lobbying by U.S. officials, and the Russian FSB state security service said the operation was done at "the appeal of the competent US authorities, who reported on the leader of the criminal community and his involvement in encroachments on the information resources of foreign high-tech companies by introducing malicious software, encrypting information and extorting money for its decryption."

REvil is a ransomware-as-a-service operation, like many other ransomware operations these days, selling its tools to various cyber criminals. In addition to the Kaseya attack, the REvil ransomware was also used in the intrusion at food supplier JBS USA last year.

If he’s convicted on all charges, Vasinskyi faces a maximum of 115 years in prison.

“When last year I announced charges against members of the Sodinokibi/REvil ransomware group, I made clear that the Justice Department will spare no resource in identifying and bringing to justice transnational cybercriminals who target the American people,” said Attorney General Merrick Garland. “That is exactly what we have done. The United States, alongside our international partners, will continue to swiftly identify, locate, and apprehend alleged cybercriminals, capture their illicit profits, and bring them to justice.”