The United States government, with help from international authorities, continues to turn the tide in the fight against cybercriminals, and ransomware in particular.
The Department of Justice (DOJ) announced another major win with the arrest of an individual linked to the notorious Russian cyber gang, REvil. This individual was allegedly responsible for deploying ransomware that led to the Kaseya incident.
The DOJ also announced it was able to recover $6.1 million tied to ransomware proceeds from another Russian national associated with REvil. This is the second time the Department was able to recover ransomware funds since they did so with the Colonial Pipeline incident earlier this year.
DOJ arrests Kaseya hacker
Attorney General Merrick Garland spoke to the press to discuss the arrest of Yaroslav Vasinskyi, also known by the online name of Rabotnik, who has been identified as playing a key role in the Kaseya hack.
Vasinskyi is charged with conspiring to commit intentional damage to protected computers and to extort in relation to that damage, causing intentional damage to protected computers, and conspiring to commit money laundering.
"The indictment charges that Vasinskyi and co-conspirators authored REvil software; installed it on victims' computers, resulting in encryption of the victims' data, including in the July 2 attack; demanded ransom payments from those victims; and then laundered those payments.
Two months after the indictment, on October 8, Vasinskyi crossed the border from Ukraine into Poland. There, upon our request, Polish authorities arrested him pursuant to a provisional arrest warrant. We have now requested that he be extradited from Poland to the United States pursuant to the extradition treaty between our countries.
Today, we are unsealing Vasinskyi’s indictment. Vasinskyi’s arrest demonstrates how quickly we will act, alongside our international partners, to identify, locate and apprehend alleged cybercriminals – no matter where they are located."
FBI Director Christopher Wray also spoke on the matter, pointing out the government's successful response to the Kaseya incident was made possible in large part due to the company's willingness to cooperate.
"When Kaseya realized some of their customers’ networks were infected with ransomware, they immediately took action. They worked to make sure both their own customers – managed service providers – and those MSPs’ customers downstream, quickly disabled Kaseya’s software on their systems.
They also engaged with us, early. The FBI coordinated with a host of key partners – including CISA, and foreign law enforcement and intelligence services – so Kaseya could benefit from all of our expertise, authorities and reach as it worked to put out the fire."
Because of this response, the FBI was able to quickly identify affected customers of Kaseya and provide recommended mitigations. Ultimately, the were able to uncover a decryption key and take out some REvil cyber criminals in the process.
DOJ recovers millions in ransomware payments
The arrest of Vasinskyi is certainly a big win, but what it led to might be an even bigger story.
In connection to the Kaseya hackers' arrest, the DOJ announced it was able to recover $6.1 million tied to ransomware proceeds of another REvil hacker, Russian national Yevgeniy Polyanin.
Attorney General Merrick Garland also spoke on this case:
"As set forth in the public filings related to the seizure, Polyanin, whom we also charged by indictment, is alleged to have conducted approximately 3,000 ransomware attacks. Polyanin's ransomware attacks affected numerous companies and entities across the United States, including law enforcement agencies and municipalities throughout the State of Texas. Polyanin ultimately extorted approximately $13 million from his victims.
We are also announcing the unsealing of an indictment against Polyanin. Like the indictment against Vasinskyi, he is charged with conspiring to commit intentional damage to protected computers and to extort in relation to that damage; causing intentional damage to protected computers; and conspiring to commit money laundering."
This is only the second time the DOJ has been able to successfully recover funds tied to a ransomware payment, the first being from the Colonial Pipeline incident.
The Attorney General again highlights how critical prompt reporting of a cyber incident is, and even urges Congress "to create a national standard for reporting significant cyber incidents, and to require that the reported information be shared immediately with the Justice Department."
For more information on the arrests of these REvil associates, see the statement from the DOJ.
Don't miss out on any upcoming SecureWorld events, where you can learn, connect, and share thoughts on cybersecurity.