Russia-linked REvil hackers hit with arrests by U.S., allies

After vowing for months to crack down on ransomware, the Biden administration and allied countries unleashed a string of actions Monday against one of the most prolific hacking groups and also issued sanctions against cryptocurrency entities that allegedly enable such attacks.

European authorities announced that police in Romania and South Korea had arrested five people allegedly associated with the Russia-linked ransomware group commonly known as REvil or Sodinokibi. In the U.S., a Ukrainian national, Yaroslav Vasinkyi, and a Russian national, Yevgeniy Polyanin, were indicted for alleged involvement in REvil ransomware attacks, according to Justice Department court documents unsealed Monday in Dallas.

“Together with our partners, the Justice Department is sparing no resource to identify and bring to justice anyone, anywhere, who targets the United States with a ransomware attack,” Attorney General Merrick Garland said at a news conference in Washington. “The U.S. government will continue to aggressively pursue the entire ransomware ecosystem and increase our nation’s resilience to cyber threats.”

While the arrests and associated actions demonstrate a significant capability of governments to disrupt hackers, it remained unclear how much of an impact they’ll have on preventing future ransomware attacks. Cybersecurity experts warn that hackers operate in loosely affiliated groups, often in countries like Russia where they can evade law enforcement.

Jon DiMaggio, chief security strategist at Analyst1, said the indictments can be important in slowing down groups like REvil. “But at the end of the day, there is no shortage of hackers for hire that want to make money by getting in with these guys,” he said.

Hacker hacking
Red light illuminates the keys of a laptop computer. Photographer: Andrey Rudakov/Bloomberg
Andrey Rudakov/Photographer: Andrey Rudakov/Blo

“Maybe they’ll think for a second longer before they join, if there’s law enforcement action against a specific group. Time will tell,” he said. “But criminals are criminals. They’re generally not afraid of law enforcement.”

In Washington, the Treasury Department announced actions intended to disrupt ransomware attacks and the virtual currency exchanges that launder the illicit proceeds. The State Department offered a reward of as much as $10 million for information leading to the identification or location of REvil’s leaders and as much as $5 million for information leading to the arrest or conviction of individuals who participated in attacks involving REvil’s malware.

“REvil,” short for “Ransomware-Evil,” is known as one of the world’s most infamous ransomware gangs. The group is accused of staging several attacks this year against major companies and organizations, including Brazilian meat supplier JBS SA and Miami-based technology company Kaseya. JBS paid an $11 million ransom, while Kaseya said it declined to pay the hackers.

In ransomware attacks, hackers encrypt a victim’s files and then demand payment to unlock them. Reported ransomware payments in the U.S. reached $590 million in the first half of 2021, compared with a total of $416 million in a 2020, according to the Treasury Department.

Biden’s vow

Following a string of high-profile attacks, President Biden vowed to make curbing ransomware a priority for his administration. At a June summit, he warned his Russian counterpart, Vladimir Putin, that Russian hackers should steer clear of 16 critical sectors of the US. economy. Last month, his administration enlisted more than 30 countries in an effort to curb ransomware.

The arrests by European and South Korean law enforcement involved so-called REvil affiliates. Ransomware groups often provide their malware to others, called affiliates, who then target victims and pay the group a cut of the illicit proceeds. Europol said that law enforcement agencies had identified the alleged affiliates of REvil after seizing infrastructure used by the group and carrying out investigative methods such as wiretapping.

Romanian authorities arrested two alleged affiliates of the group on Nov. 4, according to a statement released on Monday by European law enforcement agency Europol. A further three arrests of REvil suspects were made earlier this year, Europol said.

The arrests stemmed from an international investigation named GoldDust, which involved law enforcement agencies from 17 countries, including the U.S., the U.K., France and Germany. The alleged hackers are suspected of involvement in about 5,000 ransomware infections and received about half a million Euros ($579,000) in ransom payments.

In the Texas indictments, Vasinskyi and Polyanin were charged with conspiracy to commit fraud and money laundering, as well as other computer crimes, in connection with REvil ransomware attacks against several U.S. businesses. Prosecutors allege the two “knowingly and willfully” conspired to intentionally damage computer systems among at least nine firms in seven states.

The Justice Department said Monday it seized $6.1 million in ransom payments tied to Polyanin, and the Federal Bureau of Investigation added a “wanted” poster for him to its website.

Polyanin is charged with deploying the first operational version of the Sodinokibi ransomware. He allegedly deployed ransomware on the computer networks of one company and 11 government entities — tied to multiple municipalities in Texas — in August 2019, according to court filings. Polyanin allegedly hacked into the network of an unnamed company and then deployed ransomware on its customer’s networks.

Vasinskyi was arrested after traveling to Poland. In December 2019, he allegedly sent a message on a criminal forum to “Unknown“ who is believed to be a representative of the REvil ransomware gang. “Hello, this is rabotnik,“ Vasinskyi wrote, according to the court filings. “I want to return to work.” Vasinskyi’s alleged targets included Kaseya, the Florida based software developer. Prosecutors said the victims in Vasinskyi’s attacks have paid more than $2 million in combined ransom.

The government alleges that Vasinskyi and other conspirators authored and deployed the malicious software on computer systems since April 2019. Prosecutors say the attackers infected computers using a swath of tricks, including sending out phishing emails, using compromised remote desktop passwords and exploiting vulnerabilities in software code.

Monday’s actions include the designation of Chatex, a virtual currency exchange, and its associated support network, for facilitating financial transactions for ransomware actors. Chatex, which claims to have a presence in multiple countries, has facilitated transactions for multiple ransomware variants, according to the Treasury Department. Analysis of Chatex’s known transactions indicate that over half are directly traced to illicit or high-risk activities such as dark net markets, high-risk exchanges, and ransomware.

Law enforcement authorities used the new conference to encourage other companies to quickly report attacks to law enforcement, as Kaseya did, and to praise other countries that aided in the effort. FBI Director Christopher Wray said that the arrests show “what’s possible when federal law enforcement and international law enforcement work together with private sector companies.”

When asked by a reporter, Garland declined to say whether the Russian government condoned or was aware of the actions taken against the hackers.

Bloomberg News
Cyber security Cryptocurrency
MORE FROM AMERICAN BANKER