Ukrainian, Russian Each Charged, Sanctioned Due to Roles in REvil Ransomware Attacks

(Source: Adobe Stock)

By Samuel Rubenfeld

Monday, November 8, 2021

U.S. authorities announced criminal charges and sanctions against two foreign nationals each accused of deploying ransomware to attack American businesses and governmental entities.

Yaroslav Vasinskyi, a Ukrainian national, was responsible for the July 2 ransomware attack against Kaseya, a multinational information technology software company, prosecutors said. Vasinskyi was arrested Oct. 8 in Poland at the U.S. request and is awaiting extradition, and authorities in multiple countries carried out related interviews and searches, prosecutors said. 

Yevgeniy Polyanin, a Russian national, was charged with conducting multiple ransomware attacks, and the U.S. Justice Department seized USD 6.1 million in payments he received, prosecutors said. Polyanin is believed to be abroad and is wanted by the Federal Bureau of Investigation.

Both Vasinskyi and Polyanin were sanctioned by the U.S. Treasury Department, as was a company owned by Polyanin. The pair were part of a cybercriminal group that has engaged in ransomware activity and received more than USD 200 million in payments made in bitcoin and monero, the Treasury said. Ransomware, a form of software used to hold a victim’s data hostage until a payment is made to the attacker, has surged this year, the Treasury said. 

Each man was accused of carrying out attacks using ransomware associated with the Sodinokibi ransomware group, which is also known as REvil. The U.S. State Department on Monday announced a reward offer of up to USD 10 million for information leading to the identification or location of any individual holding a leadership role in REvil, and an additional USD 5 million for information of anyone with a role in a REvil ransomware incident. 

The charges, sanctions and seizures come as the U.S. continues a multifront effort against ransomware. Also Monday, the Treasury sanctioned a virtual currency exchange and issued an updated advisory on ransomware and the use of the financial system to facilitate payments. Earlier in the day, European police had announced multiple arrests associated with REvil.

“Our message today is clear. The United States, together with our allies, will do everything in our power to identify the perpetrators of ransomware attacks, to bring them to justice and to recover the funds they have stolen from the American people,” Attorney General Merrick Garland said during a press conference on Monday.

Through the deployment of the REvil ransomware, Vasinskyi and Polyanin allegedly left notes in the form of a text file on victim computers that included a link leading to the privacy network known as Tor, and another link they could visit to recover their files, prosecutors said. Upon visiting either site, however, victims received a ransom demand and were given a virtual currency address to deliver payment. Victims received a decryption key if they paid, but if they didn’t, the stolen data was posted or victims were told it had been sold to a third party, according to prosecutors.

Kaseya, the IT company allegedly attacked by Vasinskyi, engaged with the U.S. government and its customers to address the problem, officials said at the press conference, stressing the benefits of cooperating in ransomware matters. 

Since its first attack, REvil victimized more than 1,000 entities in multiple industry sectors, including private businesses; law enforcement and government agencies; and educational and medical institutions, a State Department spokesman said Monday in a separate briefing. 

REvil shut down its operations last month, saying in a hacking forum that they lost control of their Tor-based domains, according to a report by The Record, a publication of the security firm Recorded Future. The group was itself hacked and forced offline in a multi-country operation, Reuters reported, citing unnamed private sector experts, and current and former officials.

Share this story