Gotcha! Charges in REvil Attack, Feds Seize $6M
The long arm of the law just reached out and dragged Yaroslav Vasinskyi into the American criminal justice system, readying charges against the Ukrainian man for a REvil ransomware attack against a U.S. company, Kaseya, in July.
Law enforcement also relieved another operative of $6 million in ransom payments.
Vasinskyi, who was arrested in Poland in October, stands accused of using the ransomware to attack the software company, affecting as many as 1,500 other businesses.
The REvil operative and the other man, Russian national Yevgeniy Polyanin, will face numerous charges, including two counts of conspiracy—one to commit fraud and another to commit money laundering.
The Biden administration promised to take a hardline against ransomware actors and the countries that harbor them and act with speed. Attorney General Merrick Garland pointed out that Vasinskyi was charged within weeks of the July attack. “His arrest demonstrates how quickly we will act, alongside our international partners, to identify, locate and apprehend alleged cybercriminals no matter where they are,” he said.
“Law enforcement operations targeting ransomware groups are making considerable gains in both seizing ransom fees and providing charges against those involved in ransomware activity,” said Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows.”The recent seizure of funds associated with REvil’s operations echoes activity the U.S. Department of Justice took in June 2021, in which $2.3 million of cryptocurrency fees paid to the Darkside group were seized by U.S. authorities.”
White said that “while the numbers of arrests and funds seized are relatively low when considering the numbers of attacks occurring each week, it does represent a significant step in the right direction and a playbook that law enforcement can continue to follow.”
And, he said, “the tempo of law enforcement operations may already be having an impact on the confidence of ransomware groups; in the past week the BlackMatter ransomware group reportedly retired their service, citing pressure from authorities.”
But despite the trend of recovering ransom payments, “it’s still a best practice to do everything you can to not pay the ransom when targeted by malicious actors,” said Hank Schless, senior manager, security solutions, at Lookout. “There is no guarantee you’ll actually get all of your data back, and if it becomes known that you paid the ransom there’s a greater likelihood that you’ll be targeted again.”
The uptick in ransomware attacks “is enabled by growth in the ransomware-as-a-service (RaaS) market. RaaS like REvil enables threat actors who are affiliates of the ransomware groups that develop these services to execute sophisticated attacks with pre-built malware,” said Schless. “This exemplifies how ransomware groups are becoming more operationally sophisticated. They run themselves like a small business by offering a service, figuring out a repeatable model and continuously reinvesting in new tactics and technology that create continued success of their product.”
REvil went on a tear earlier this year, launching attack after damaging attack, and sending both the public and private sectors scrambling to harden defenses. The breadth of the Kaseya attack, which began on the Friday of the U.S. Independence Day weekend, raised the alarm for many. The international managed services company manages internet services for countless organizations and the attack had the potential to devastate thousands of businesses.
Reports said that the FBI had gotten its hands on the group’s encryption keys.
REvil has darted in and out of public view in the past several months, claiming to shut down as the feds closed in on them in September with encryption keys in hand, only to reemerge in underground forums in September. The group went to ground again in October, going dark after its payment portal and blog used to leak victims’ data were hijacked, perhaps by a former member who goes by “Unkn.”
This latest action against REvil’s malicious actors is “encouraging” and a step in the right direction,” said Schless. “Hopefully this is indicative of more frequent discovery, location and arrest of cybercriminals,” he said, noting that it can be “nearly impossible to track down” the individuals involved, even after attribution is known.
“These arrests are a movement in the right direction,” he said.
