US charges Kaseya hacker and seizes $6M from REvil ransomware gang

The U.S. Department of Justice (DOJ) has charged a 22-year-old Ukrainian citizen linked to the REvil ransomware gang for orchestrating the July ransomware attack against U.S. technology firm Kaseya. It has also seized more than $6 million in ransom tied to another member of the notorious ransomware group.

During a news conference on Monday, U.S. Attorney General Merrick Garland announced that Yaroslav Vasinskyi was arrested last month in Poland at the request of the U.S. government and is currently being held pending U.S. extradition proceedings. Vasinskyi, who used different names online to avoid detection, is accused of being a long-time affiliate of the now-defunct REvil ransomware operation and of deploying 2,500 attacks against businesses worldwide.

Most notably, Vasinskyi — whose ransom demands are said to have totalled $767 million — is accused of being involved in the high-profile attack on Kaseya, which impacted more than 1,500 businesses in the U.S and carried a ransom demand of $70 million.

U.S. officials have also seized $6.1 million in connection with hacking campaigns linked to another REvil affiliate, Russian national Yevgeniy Polyanin, who is accused of conducting 3,000 ransomware attacks and extorting around $13 million from victims, U.S. officials said. Vasinsky and Polyanin have both been charged with conspiracy to commit money laundering, conspiracy to commit fraud and intentional damage to a protected computer.

“The Justice Department is sparing no resource to identify and bring to justice anyone, anywhere who targets the United States with a ransomware attack,” Garland said.

It’s not just the hackers the U.S. government is going after, as the Treasury Department also today announced sanctions against the Chatex cryptocurrency exchange for facilitating ransom transactions.

Additionally, the State Department has announced a reward of up to $10 million “for information leading to the identification or location of any individual(s) who hold a key leadership position in the Sodinokibi/REvil ransomware variant transnational organized crime group,” as well as up to $5 million for information leading to the arrest or conviction of any individual participating in a REvil variant ransomware incident.

Last week it announced a similar bounty for key information on the hackers behind the so-called DarkSide ransomware, which forced major U.S. fuel provider Colonial Pipeline to shut down for days in May. Prior to this, the U.S. has recovered $2.3 million of the ransomware payment that Colonial Pipeline paid to the ransomware gang.

In the past five months, the DoJ’s efforts have resulted in the arrest of seven REvil affiliates. European law enforcement agency Europol announced on Monday that two hackers who used the REvil ransomware to infect and attempt to extort as many as 5,000 victims had been arrested in Romania. The two unnamed individuals, who pocketed €500,000 (roughly $578,000) in ransom payments, were arrested on November 4, according to Europol. On the same day, Kuwaiti authorities also arrested a third REvil ransomware affiliate.

As well as Vasinskyi, who was arrested in October when trying to enter Poland from his native country, two other individuals believed to be REvil affiliates were apprehended in South Korea in February and April, law enforcement disclosed for the first time today.

“A total of seven suspects linked to the two ransomware families have been arrested since February 2021,” Europol said. “They are suspected of attacking about 7,000 victims in total.”

The arrests are the results of Operation GoldDust, which involved law enforcement agents from 17 countries, Europol, Eurojust and Interpol. The operation also received support from the cybersecurity industry from companies including Bitdefender, KPN and McAfee. Researchers at Bitdefender provided technical insights throughout the investigation, along with decryption tools to help victims of ransomware attacks recover their files without having to pay the ransom.

According to Europol, the REvil decryption tools have helped more than 1,400 companies decrypt their networks following ransomware attacks, saving over €475 million ($550 million) from being paid to cybercriminals. According to U.S officials, the entire REvil ransomware operation received more than $200 million since it started activity.

These arrests are the latest in a string of operations by law enforcement targeting ransomware operations. Last month saw a Europol-led operation target 12 suspects in Ukraine and Switzerland believed to be behind LockerGoga, MegaCortex, Dharma and other ransomware attacks.