Security news that informs and inspires

U.S. Indicts Two Alleged REvil Operators, Seizes $6 Million in Payments

U.S. law enforcement has charged a Ukrainian man that is allegedly responsible for the REvil ransomware attack on software maker Kaseya in July. The operation also included the seizure of more than $6 million in ransom payments and the arrest of a Russian national who is also an alleged REvil operator.

The Department of Justice announced charges against Yaroslav Vasinskyi in connection with the Kaseya attack, which had significant disruptive downstream effects and brought a tremendous amount of attention to REvil. Vasinskyi is in Poland awaiting extradition and is facing fraud and money laundering charges. The Justice Department also announced charges against Yevgeniy Polyanin, a Russian, who has not yet been arrested. Vasinskyi was indicted on Aug. 11 and was arrested in Poland on Oct. 8 after he crossed the border from Ukraine. The $6.1 million in ransom payments the FBI recovered were connected to Polyanin, officials said.

“The success of this case proves the crucial importance of victim companies coming forward and working with law enforcement when they are hit with ransomware. Our message should be clear: If you target victims here we will target you and the Department of Justice won’t give up until you are held accountable,” said Deputy Attorney General Lisa Monaco.

The State Department has also offered a $10 million reward for information leading to the identification or location of REvil leadership.

REvil has been one of the more audacious and noisy ransomware-as-a-service (RaaS) groups, with the intrusion at Kaseya being the prime example. That intrusion led to infections at 1,400 of the company’s customers and focused a lot of attention on REvil. Soon after the attack, REvil dropped off the map, only to reemerge in September. But law enforcement agencies were already well into their investigation by then. Kaseya officials contacted the FBI soon after the company discovered that some of its customers’ networks were infected by REvil, and the bureau quickly started tracing the chain of events and linked the operation to specific REvil affiliates.

"If you target victims here we will target you and the Department of Justice won’t give up until you are held accountable."

“We’ve got ways of reaching people sheltered in places like Russia as Polyanin found out when he woke up and found $6.1 million missing,” said FBI Director Chris Wray.

As part of the same effort, the Department of the Treasury has sanctioned a cryptocurrency exchange called Chatex for facilitating currency transactions for ransomware operators.

“Ransomware groups and criminal organizations have targeted American businesses and public institutions of all sizes and across sectors, seeking to undermine the backbone of our economy,” said Deputy Secretary of the Treasury Wally Adeyemo. “We will continue to bring to bear all of the authorities at Treasury’s disposal to disrupt, deter, and prevent future threats to the economy of the United States. This is a top priority for the Biden Administration.”

In a related effort, a group of European law enforcement agencies have arrested five alleged affiliates of the REvil group, including two Romanians who they say are responsible for at least 5,000 ransomware infections around the world.

The arrests are part of a larger multinational push called Operation GoldDust that has included law enforcement agencies from 17 countries and is focused on disrupting ransomware operations. The effort has produced some notable results, such as the arrests of several affiliates of the GandCrab ransomware operation, which is now defunct. GandCrab is closely linked to the REvil operation and both have used the highly successful RaaS model to attract affiliates and generate revenue while outsourcing much of the work and risk to the affiliates.

The arrest of Vasinskyi and recovery of millions of dollars in ransomware payments are significant accomplishments for U.S. law enforcement, which has faced political and technical challenges in reaching alleged ransomware actors and locating and recovering their payments. Earlier this year, the FBI was able to recover a large portion of the ransom paid by Colonial Pipeline to the DarkSide ransomware group, but that kind of success is the exception rather than the rule.

In the indictment, the Justice Department alleges that Vasinskyi and his co-conspirators wrote the REvil ransomware, which is also known as Sodinokibi, and then recruited affiliates in underground forums.