DOJ charges and sanctions REvil leaders behind Kaseya attack, seizes $6 million in ransoms

The US also sanctioned the Chatex cryptocurrency exchange for allegedly helping ransomware groups launder money.
Written by Jonathan Greig, Contributor

US officials from the Justice Department, Treasury, and FBI announced a slate of actions taken against some of the members of the REvil ransomware group as well as sanctions against organizations helping groups launder illicit funds.

At a press conference on Monday, US attorney general Merrick Garland announced indictments of 22-year-old Ukrainian Yaroslav Vasinskyi and Russian Yevgeniy Polyanin for their involvement in REvil's operations. 

CyberScoop reported that Vasinskyi was arrested in Poland last month after leaving Ukraine and is now facing charges for the attack on Kaseya that infected more than 1,000 companies with ransomware this summer. 

Garland said that Vasinskyi -- who went by the name "Rabotnik" online -- was one of the masterminds behind the REvil ransomware and is facing extradition after being arrested by Polish authorities on October 8. Garland added that while Polyanin has not been arrested, he was also hit with a litany of hacking-related charges and had $6.1 million in ransom payments seized by law enforcement agencies. 

The indictment shared by the DOJ said Vasinskyi has been part of the REvil ransomware gang since at least 2019 and has launched at least 2,500 attacks. The DOJ said he made $2.3 million from ransoms after demanding a total of more than $760 million. 

According to the DOJ, in addition to the headlining attacks on Kaseya and JBS, REvil is responsible for deploying its ransomware on more than 175,000 computers. The group has allegedly brought in at least $200 million from ransoms. Garland noted that Polyanin had been tied to at least 3,000 ransomware attacks. 

"Polyanin's ransomware attacks affected numerous companies and entities across the United States, including law enforcement agencies and municipalities throughout the state of Texas. Polyanin ultimately extorted approximately $13 million from his victims," Garland said while unveiling the indictments of both men. 

"For the second time in five months, we announced the seizure of digital proceeds of ransomware deployed by a transnational criminal group. This will not be the last time. The US government will continue to aggressively pursue the entire ransomware ecosystem and increase our nation's resilience to cyber threats."

Garland, deputy attorney general Lisa Monaco, and FBI Director Christopher Wray, repeatedly thanked Kaseya for coming forward to law enforcement agencies almost immediately after discovering the REvil attack. 

All three noted that the company's quick decision went a long way in helping the FBI and others track down the payments and help other victims. 

"The arrest of Yaroslav Vasinskyi, the charges against Yevgeniy Polyanin and seizure of $6.1 million of his assets, and the arrests of two other Sodinokibi/REvil actors in Romania are the culmination of close collaboration with our international, US government and especially our private sector partners," Wray said. 

Alongside the indictments, the Treasury Department announced sanctions against the Chatex virtual currency exchange and its associated support network for allegedly facilitating financial transactions for ransomware actors.

IZIBITS OU, Chatextech SIA, and Hightrade Finance Ltd were also sanctioned for providing support to Chatex. Vasinskyi and Polyanin were slapped with sanctions as well. 

The Treasury Department also unveiled a $10 million bounty for any information about anyone who holds a key leadership position in the Sodinokibi/REvil ransomware variant transnational organized crime group. 

There is another $5 million reward for information leading to the arrest or conviction in any country of any individual conspiring to participate in or attempting to participate in a Sodinokibi variant ransomware incident.

Recorded Future ransomware expert Allan Liska said the slate of actions on Monday dispelled the notion that law enforcement action was largely ineffective against ransomware groups. 

"We're not going to pop corks and say ransomware is over yet, but I do think that we're starting to see an impact. I'm excited that there are more sanctions against cryptocurrency exchanges that are known for laundering money. I also like that the Treasury Department called out some smaller countries, like Estonia and Romania, for their assistance in this, because I think it starts to show that Russia really is isolated in this, more so than they had been in the past," Liska said.

"The seizing of those assets from a Russian citizen kind of shows that even if you're based in Russia, you're not safe. They may not be able to arrest you, but they can impact you in ways that you probably haven't thought of yet."

The actions on Monday started with the arrest of two people connected to REvil by Romanian authorities. Police in Kuwait arrested another GandGrab affiliate as well. 

US agencies have been working with Europol, Eurojust, Interpol, and other law enforcement organizations on "Operation GoldDust" to disrupt multiple ransomware groups over the past six months. Seventeen countries have been involved in the effort, and dozens of people have been nabbed across Europe in connection with ransomware groups. 

REvil closed shop for the second time last month after saying the pressure from law enforcement had gotten too great for them to continue their operation. 

One of the operations referenced in the indictments was a massive 2019 ransomware attack that targeted dozens of local governments in the state of Texas. 

Andy Bennett, CISO of Apollo Information Systems, told ZDNet that he was the incident commander for the attack in Texas. It was long overdue for the people behind the attack to face some kind of retribution. 

"Years of hard work and cooperation finally paid off. These attackers held public and private organizations and even entire communities hostage, and it took organizations having the fortitude not to pay the ransom cooperating with law enforcement to provide the path to bring these criminals to justice," Bennett said. 

"The significance of these arrests is that ransomware just became a high-risk activity. Up to this point, ransomware was a relatively low risk, high reward proposition for enterprising criminals. Even by law enforcement, it was seen as nearly impossible to catch and prosecute ransomware gangs operating in Eastern Europe and other parts of the world due to difficulties in tracking and controlling cryptocurrencies used for payment and massive procedural and jurisdictional hurdles. Clearly, these are no longer showstoppers, and it will definitely put the rest of the ransomware gangs on edge and on notice that they could be next. I could not be happier to see these particular threat actors brought to justice as it was REvil/Sodin who hit 23 local governments in Texas in August of 2019."

Editorial standards