US amps up war on ransomware with charges against REvil attackers

One person fingered for the July 2021 attack against Kaseya is in custody, while the other individual is still at large.

Ransomware concept

Image: Wetzkaz Graphics/Shutterstock

The United States has taken another significant legal step in its battle against ransomware. On Monday, the US Department of Justice announced formal charges against two foreign nationals for their role in deploying REvil ransomware attacks against organizations throughout the country. Based on the indictments, the two individuals accessed the networks of their intended victims and used the Sodinokibi/REvil ransomware to encrypt sensitive data and hold it hostage.

SEE: Ransomware: What IT pros need to know (free PDF) (TechRepublic)

A 22-year-old Ukrainian national named Yaroslav Vasinskyi has been charged with multiple ransomware incidents, including the July 2021 attack against IT enterprise firm Kaseya.

In that campaign, the attackers exploited a security vulnerability in Kaseya's VSA product, a program used by managed service providers (MSPs) to remotely monitor and administer IT services for customers. Vasinskyi was arrested in Poland on October 8 and is now being held by authorities while awaiting extradition to the US.

Also charged by the State Department is 28-year-old Russian national Yevgeniy Polyanin, who allegedly conducted Sodinokibi/REvil ransomware attacks against a variety of victims, including businesses and government agencies in Texas in 2019. Polyanin is currently still at large but is believed to be in Russia, possibly in the Western Siberian city of Barnaul, according to the FBI's Wanted notice.

"It's encouraging to hear that the Justice Department was able to track down those responsible for the Kaseya attack," said Hank Schless, senior manager for security solutions at Lookout. "Hopefully this is indicative of more frequent discovery, location, and arrest of cybercriminals. Even if an attack is attributed to a particular group, the individuals within that group can be nearly impossible to track down. These arrests are a movement in the right direction."

The State Department said that it seized $6.1 million in funds allegedly traceable to ransomware payments received by Polyanin. The funds were also connected to money laundering tactics allegedly committed by Polyanin to try to mask the illegal payments.

Vasinskyi and Polyanin are charged with conspiracy to commit fraud and related activities, substantive counts of damage to protected computers and conspiracy to commit money laundering. If convicted on all counts, they face maximum penalties of 115 and 145 years in prison, respectively.

As described in one of the indictments, Vasinskyi and Polyanin were both accused of being affiliates of the REvil ransomware group, which acts as a Ransomware-as-a-Service (RaaS) operation. In this process, REvil group members farm out the necessary tools to other cybercriminals who carry out the actual attacks.

"The Ukrainian who the US wants to be extradited is highly likely one of the affiliates as stated and not part of the core gang," said Jon DiMaggio, chief security strategist at Analyst1. "The indictment also stated Vasindkyi 'deployed Sodinokibi ransomware.' If he was behind the part of the operation in which he deployed malware, he was a hired hacker (AKA, an affiliate). The core group ran the operations but did not do the dirty work of breaching and infecting targets." 

SEE: Infographic: The 5 phases of a ransomware attack (TechRepublic)

Both Vasinskyi and Polyanin allegedly directed their victims to a website where they could recover the stolen and encrypted files. If the victim paid the demanded ransom, the files would be decrypted. If not, the attackers either publicly leaked the stolen files or claimed that they sold them to a third party.

"Our message to ransomware criminals is clear: If you target victims here, we will target you," Deputy Attorney General Monaco said. "The Sodinokibi/REvil ransomware group attacks companies and critical infrastructures around the world, and today's announcements showed how we will fight back.  In another success for the department's recently launched Ransomware and Digital Extortion Task Force, criminals now know we will take away your profits, your ability to travel, and—ultimately—your freedom."

In a related matter, Europol announced the arrest of three individuals suspected of deploying Sodinokibi/REvil and GandCrab ransomware attacks. As part of a global initiative known as Operation GoldDust, two people were arrested by Romanian authorities, while the other was arrested in Kuwait.

Following a string of high-profile attacks by REvil, DarkSide and other criminal enterprises, the US government and international law enforcement have vowed to fight back. The latest indictments by the State Department follow other recent initiatives that officials believe show progress in the war against this destructive type of cybercrime.

Earlier this month, the BlackMatter ransomware gang claimed that it was disbanding due to pressure from legal authorities. Around the same time, the US government announced a $10 million reward for information leading to the arrest of DarkSide ransomware gang leaders. And in October, the REvil gang reportedly lost access to some of its servers after they were taken over by law enforcement officials in the US and other countries in an ongoing operation.

SEE: Ransomware attack: Why a small business paid the $150,000 ransom (TechRepublic)

REvil and other ransomware groups such as DarkSide have been linked with Russia, either operating on behalf of the country's GRU military intelligence unit or pulling off attacks with the Kremlin's tacit permission. Those ties have challenged the Biden administration, which has been trying to convince Russian President Vladimir Putin to take a tougher stance against ransomware attackers.

"The core group that runs REvil operations resides in Russia," DiMaggio said. "Their comments on forums and statements in media interviews suggest they have an allegiance to Russia and do not fear the US. The individuals arrested were outside Russia. However, various affiliates reside in Russia, Ukraine and other eastern European countries and support REvil operations."

In addition to the efforts by law enforcement, organizations need to protect and secure themselves from data breaches and ransomware attacks. Otherwise, these criminal groups will simply continue to carve out a healthy business despite the risks of arrest and prosecution. Toward that end, Schless offers some helpful insight:

"Most ransomware attacks start with compromised user credentials," Schless said. "The most common way for attackers to steal login details is through mobile phishing where they can target employees across a plethora of personal and work apps. Whether it's SMS, email, social media, or third-party messaging platforms, attackers have grown adept at targeting us with social engineering attacks that convince us to log in to bogus platforms and unknowingly share our credentials. Once the attackers have access, they're free to move laterally around the infrastructure until they find the valuable data they desire."

Also see