US officials from the Justice Department, Treasury, and FBI announced a slate of actions taken against some of the leaders of the REvil ransomware group as well as sanctions against organizations helping groups launder illicit funds.
At a press conference on Monday, US attorney general Merrick Garland announced indictments of 22-year-old Ukrainian Yaroslav Vasinskyi and Russian Yevgeniy Polyanin for their involvement in REvil’s operations. Vasinskyi was arrested in Poland last month and is now facing charges for the attack on Kaseya that infected more than 1,000 companies with ransomware this summer.
Garland said that Vasinskyi — who went by the name “Robotnik” online — was one of the masterminds behind the REvil ransomware and is facing extradition after being arrested by Polish authorities on October 8. Garland added that while Polyanin has not been arrested, he was also hit with a litany of hacking-related charges and had $6.1 million in ransom payments seized by law enforcement agencies.
According to the DOJ, in addition to the headlining attacks on Kaseya and JBS, REvil is responsible for deploying its ransomware on more than 175,000 computers. The group has allegedly brought in at least $200 million from ransoms. Garland noted that Polyanin has been tied to at least 3,000 ransomware attacks.
“Polyanin’s ransomware attacks affected numerous companies and entities across the United States, including law enforcement agencies and municipalities throughout the state of Texas. Polyanin ultimately extorted approximately $13 million dollars from his victims,” Garland said while unveiling the indictments of both men.
“For the second time in five months, we announced the seizure of digital proceeds of ransomware deployed by a transnational criminal group. This will not be the last time. The US government will continue to aggressively pursue the entire ransomware ecosystem and increase our nation’s resilience to cyber threats.”
Garland, deputy attorney general Lisa Monaco, and FBI director Christopher Wray, repeatedly thanked Kaseya for coming forward to law enforcement agencies almost immediately after discovering the REvil attack.
All three noted that the company’s quick decision went a long way in helping the FBI and others track down the payments and help other victims.
Alongside the indictments, the Treasury Department announced sanctions against the Chatex virtual currency exchange and its associated support network for allegedly facilitating financial transactions for ransomware actors.
IZIBITS OU, Chatextech SIA, and Hightrade Finance Ltd were also sanctioned for providing support to Chatex.
The Treasury Department also unveiled a $10 million bounty for any information about anyone who holds a key leadership position in the Sodinokibi/REvil ransomware variant transnational organized crime group.
There is another $5 million reward for information leading to the arrest or conviction in any country of any individual conspiring to participate in or attempting to participate in a Sodinokibi variant ransomware incident.
Recorded Future ransomware expert Allan Liska said the slate of actions on Monday dispelled the notion that law enforcement action was largely ineffective against ransomware groups.
“We’re not going to pop corks and say ransomware is over yet, but I do think that we’re starting to see an impact. I’m excited that there are more sanctions against cryptocurrency exchanges that are known for laundering money. I also like that the Treasury Department called out some smaller countries, like Estonia and Romania, for their assistance in this, because I think it starts to show that Russia really is isolated in this, more so than they had been in the past,” Liska said.
“The seizing of those assets from a Russian citizen kind of shows that even if you’re based in Russia, you’re not safe. They may not be able to arrest you, but they can impact you in ways that you probably haven’t thought of yet.”