The Department of Justice today announced recent action taken against two foreign nationals accused of deploying Sodinokibi / REvil ransomware to attack businesses and government entities in the United States.
Indictment released today accuses Yaroslav Vasinskyi, 22, a Ukrainian national, of carrying out ransomware attacks against multiple victims, including the July 2021 attack on Kaseya, a multinational technology software company some information.
The department also today announced the seizure of $ 6.1 million in funds attributable to alleged ransom payments received by Yevgeniy Polyanin, 28, a Russian national, who is also accused of carrying out ransomware attacks. Sodinokibi / REvil against several victims, including businesses and government entities in Texas. on or around August 16, 2019.
According to the indictments, Vasinskyi and Polyanin accessed the internal computer networks of several victimized companies and deployed Sodinokibi / REvil ransomware to encrypt data on the computers of the victimized companies.
“Cybercrime is a serious threat to our country: to our personal safety, to the health of our economy and to our national security,” said Attorney General Garland. “Our message today is clear. The United States, along with our allies, will do everything in their power to identify the perpetrators of ransomware attacks, bring them to justice, and recover the funds they have stolen from their victims.
“Our message to ransomware criminals is clear: if you target the victims here, we will target you,” said Monaco’s deputy attorney general. “The Sodinokibi / REvil ransomware group is attacking businesses and critical infrastructure around the world, and today’s announcements have shown how we will fight back. In another success from the department’s recently launched ransomware and digital extortion task force, criminals now know we’re going to rob you of your profits, your ability to travel, and ultimately your freedom. . Working with our partners at home and abroad, the Department will continue to dismantle ransomware groups and disrupt the cybercriminal ecosystem that allows ransomware to exist and threaten us all.
“The arrest of Yaroslav Vasinskyi, the charges against Yevgeniy Polyanin and the seizure of $ 6.1 million of his assets, and the arrests of two other Sodinokibi / REvil actors in Romania are the result of close collaboration with our international government, the United States and especially our private sector. partners, ”said Christopher Wray, director of the FBI. “The FBI has worked creatively and tirelessly to counter the hackers behind Sodinokibi / REvil. Ransomware groups like them pose a serious and unacceptable threat to our security and economic well-being. We will continue to target broadly their actors and facilitators, their infrastructure and their money, wherever they are in the world.
“Ransomware can cripple a business in minutes. These two defendants deployed some of the internet’s most virulent codes, created by REvil, to hijack victims’ computers, ”said Acting US Attorney Chad E. Meacham for the North District of Texas. “In a few months, the Ministry of Justice identified the perpetrators, made an arrest and seized a large sum of money. The Department will explore the darkest corners of the Internet and the most remote corners of the world to track down cybercriminals.
According to court documents, Vasinskyi is responsible for the July 2 ransomware attack on Kaseya. In the alleged attack on Kaseya, Vasinskyi caused the deployment of malicious Sodinokibi / REvil code throughout a Kaseya product, which caused the Kaseya production feature to deploy the REvil ransomware to “points of view”. termination ”on Kaseya customer networks. After remote access to Kaseya endpoints was established, the ransomware was executed on these computers, resulting in data encryption on the computers of organizations around the world that were using Kaseya software.
Thanks to the deployment of the Sodinokibi / REvil ransomware, the defendants have reportedly left electronic notes in the form of a text file on the victims’ computers. The notes included a web address leading to an open source privacy network known as Tor, as well as a link to a publicly accessible website address that victims could visit to retrieve their files. While visiting either website, victims received a ransom note and provided a virtual currency address to use to pay the ransom. If a victim paid the ransom amount, the accused would provide the decryption key and the victims could then access their files. If a victim did not pay the ransom, the defendants would usually post the stolen data of the victims or claim to have sold the stolen data to third parties, and the victims were not able to access their files.
Vasinskyi and Polyanin are charged in separate indictments of Conspiracy to Commit Fraud and Related Computer Activities, Significant Counts of Damage to Protected Computers, and Conspiracy to Commit Fraud. money laundering. If convicted on all counts, each faces a maximum sentence of 115 and 145 years in prison, respectively.
The $ 6.1 million seized from Polyanin is believed to be attributed to ransomware attacks and money laundering committed by Polyanin through its use of the Sodinokibi / REvil ransomware. The warrant for seizure was issued from the North District of Texas. Polyanin is believed to be overseas.
On October 8, Vasinskyi was taken into custody in Poland, where he is still being held by the authorities pending proceedings relating to his request for extradition to the United States, in accordance with the extradition treaty between states. United and the Republic of Poland. Along with the arrest, interviews and searches were carried out in several countries and would not have been possible without the swift response of the National Police of Ukraine and the Prosecutor’s Office of the Governor of Ukraine.
FBI field offices in Dallas and Jackson are investigating. Substantial assistance was provided by the Office of International Affairs of the Ministry of Justice and the Counterintelligence and Export Control Section of the National Security Division.
Assistant US Attorney Tiffany H. Eggers of the US Attorney’s Office for the North Texas District and Senior Counsel Byron M. Jones of the Computer Crime and Intellectual Property Section of the Department of Justice are continuing the case.
The US Attorney’s Office for the North Texas District, the FBI Field Offices in Dallas and Jackson, and the Criminal Division’s Computer Crime and Intellectual Property Section conducted the operation in close cooperation with Europol and Eurojust, which were an integral part of the coordination. Investigators and prosecutors from several jurisdictions, including: the Romanian National Police and the Directorate of Organized Crime and Terrorism Investigation; the Royal Canadian Mounted Police; Paris Court and BL2C (anti-cybercrime police); Dutch National Police; the Polish National Prosecutor’s Office, the Border Guards, the Internal Security Agency and the Ministry of Justice; and the governments of Norway and Australia provided invaluable assistance.
The United States Department of the Treasury’s Financial Crime Network (FinCEN), the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the German Prosecutor’s Office in Stuttgart, and the State Bureau of Investigations criminals from Baden-Württemberg; Swiss public prosecutor II of the canton of Zurich and cantonal police of Zurich; the UK National Crime Agency; American Secret Service; Texas Department of Information Resources; BitDefender; McAfee; and Microsoft also provided significant assistance.
This case is part of the Justice Department’s Ransomware and Digital Extortion Task Force, which was created to address the growing number of ransomware and digital extortion attacks. As a member of the task force, the Criminal Division, in conjunction with the US Prosecutor’s Offices, prioritizes the disruption, investigation and prosecution of ransomware and digital extortion activity by tracking and by dismantling the development and deployment of malware, identifying responsible cybercriminals, and holding these individuals accountable for their crimes. The department, through the task force, is also strategically targeting the broader ransomware criminal ecosystem and working with domestic and foreign government agencies as well as private sector partners to combat this significant criminal threat.
For more information on the Ransomware and Digital Extortion Task Force, read the recent Deputy Attorney General’s Guidance Note on Investigations and Related Cases. For more resources on preventing and responding to ransomware, visit StopRansomware.gov.
An indictment is only an allegation, and all defendants are presumed innocent until proven guilty beyond a reasonable doubt in court.