US Accuses Ukrainians And Russians Of Ransomware Attacks This Year

Yaroslav Vasinskyi hacker from Ukraine, who was arrested in Poland last month. (photo: twitter)

JAKARTA – The US Department of Justice indicted a Ukrainian citizen and a Russian in one of the worst ransomware attacks against American targets in US District Court on Monday, November 8.

This latest US action follows a series of actions taken to combat a spike in ransomware that has hit several large companies, including an attack on the United States' largest fuel pipeline that crippled fuel shipments for several days.

An indictment accuses Ukraine's Yaroslav Vasinskyi, who was arrested in Poland last month, for breaking into Florida software provider Kaseya over the weekend, July 4.

From there, he and his colleagues simultaneously distributed REvil ransomware to as many as 1,500 Kaseya customers. Furthermore, it encrypts their data and forces some of them to close for days.

Vasinskyi is accused of breaking into the victim's company and installing encryption software, developed by the core group REvil. REvil directly handles the ransom negotiations and shares profits with affiliates like Vasinskyi. This model allows notorious ransomware gangs to extort companies for cryptocurrency ransoms.

Kimberly Goody, director of financial crime analysis at security firm Mandiant, said targeting affiliates could be more effective than going after the core gang, because their skills are more valuable than encryption software, which is ubiquitous. Some affiliates also work with multiple gangs.

The arrests are part of a massive ongoing sweep of key ransomware figures coordinated by the FBI, Europol and national police organizations across Europe, with help from private security firms.

REvil, also implicated in the attack on leading global meatpacker JBS SA, was breached in a joint operation, as Reuters previously reported, and authorities were eventually able to recover the $6 million in ransom payments sent.

REvil announced it was shutting down last month, as did the rival gang involved in the Colonial Pipeline hack.

Vasinskyi and another suspected REvil agent, Russian citizen, Yevgeniy Polyanin, were charged in the US District Court for the Northern District of Texas with conspiracy to commit fraud and conspiracy to commit money laundering, among other offences.

The Treasury Department said the two face sanctions for their role in the ransomware incident in the United States, as well as a virtual currency exchange called Chatex "to facilitate financial transactions for ransomware perpetrators."

"Latvian and Estonian government agencies are critical to the investigation," the Treasury said.

"International partnerships can disrupt bad actors," former US civil cyber defense Chris Krebs said on Twitter.

Deputy Attorney General Lisa Monaco commended Kaseya for her assistance in the investigation. "We are here today because in their darkest hour, Kaseya made the right choice and they decided to work with the FBI...by doing that, we were able to identify and help many of the victims of this attack."

The Treasury Department said more than $200 million in ransom payments were paid in Bitcoin and Monero.

Vasinskyi, 22, is being held in Poland and is still awaiting extradition to the US, while Polyanin, 28, remains at large. Russia's tolerance of major gangs targeting critical US industries has been a flashpoint in relations with the Biden administration.

US President Joe Biden said Monday that his administration had taken "significant steps to strengthen" critical US infrastructure against cyberattacks.

"When I met with President Putin in June, I made it clear that the United States would take action to hold cybercriminals accountable. That's what we have done today," he said in a statement issued by the White House.

Although discussions continue, security experts and most US officials say they have not seen a decline in overall ransomware attacks. The encryption software used for such attacks is freely available.

Reuters was unable to reach legal representatives for the two accused men on Monday, and there are no lawyers for those listed in court filings.

The indictment says Ukrainian hackers and other conspirators started deploying the hacking software around April 2019 and regularly update and improve it. It said he also laundered money earned through extortion schemes.

Europol said earlier on Monday that Romanian authorities on November 4 arrested two other people suspected of carrying out the attack that spread the REvil ransomware. Officials in South Korea previously arrested three more people linked to REvil and two related types of ransomware.

Twelve suspects believed to have carried out ransomware attacks against companies or infrastructure in 71 countries were "targeted" in raids in Ukraine and Switzerland, Europol said on Friday.