Over the Fourth of July weekend in 2021, cybercriminals associated with the infamous, and now defunct, REvil cyber gang pulled off one of the most impactful ransomware attacks of all time.
The group targeted IT management company Kaseya, and the criminals' efforts were wildly successful. More than 1,000 of Kaseya's customers had their networks impacted by this incident, and the gang demanded a $70 million payment for a universal decryption key.
The scale of this attack was so large and impactful that the United States government offered a $10 million bounty for any information that would lead to the arrest of the REvil hackers.
Just eight months after the attack, one of the alleged perpetrators arrived in Dallas, Texas, for his court date.
Yaroslav Vasinskyi, a 22-year-old Ukrainian, is charged with conspiracy to commit fraud and related activity in connection with computers, substantive counts of damage to protected computers, and conspiracy to commit money laundering. He faces a maximum penalty of 115 years in prison.
Ukrainian national arraigned for Kaseya incident
On October 8, 2021, Vasinskyi was taken into custody in Poland, where he awaited extradition to the U.S. until last week.
In connection to his arrest, the U.S. Department of Justice (DOJ) was able to successfully recover $6.1 million in funds connected to the REvil ransomware gang.
The DOJ expands on the crimes committed by Vasinskyi:
"In the alleged attack against Kaseya, Vasinskyi caused the deployment of malicious Sodinokibi/REvil code throughout a Kaseya product that caused the Kaseya production functionality to deploy REvil ransomware to 'endpoints' on Kaseya customer networks. After the remote access to Kaseya endpoints was established, the ransomware was executed on those computers, which resulted in the encryption of data on computers of organizations around the world that used Kaseya software.
Through the deployment of Sodinokibi/REvil ransomware, the defendants allegedly left electronic notes in the form of a text file on the victims' computers. The notes included a web address leading to an open-source privacy network known as Tor, as well as the link to a publicly accessible website address the victims could visit to recover their files.
Upon visiting either website, victims were given a ransom demand and provided a virtual currency address to use to pay the ransom. If a victim paid the ransom amount, the defendants provided the decryption key, and the victims then were able to access their files. If a victim did not pay the ransom, the defendants typically posted the victims' stolen data or claimed they sold the stolen data to third parties, and victims were unable to access their files."
U.S. Deputy Attorney General Lisa Monaco commented on the case:
"Just eight months after committing his alleged ransomware attack on Kaseya from overseas, this defendant has arrived in a Dallas courtroom to face justice. When we are attacked, we will work with our partners here and abroad to go after cybercriminals, wherever they may be," Monaco said.
Follow SecureWorld News for more stories related to cybersecurity.