A ransomware attack on Kaseya, an IT management company, left hundreds of businesses without power. Their data was encrypted by the REvil ransomware group. US authorities announced an unprecedented development: A Ukrainian national was arrested in October. He is currently being extradited from Poland.
Ransomware gangs operate with relative impunity in the last few years because many of them are based abroad and the Kremlin has stubbornly refused to turn a blindeye. The Department of Justice's Monday announcement shows that law enforcement can use the hybrid approach they have found. Yaroslav Vasinskyi, 22 years old, was arrested and is awaiting extradition. This shows that officials can catch key players when they make mistakes. Another important announcement was the seizure $6.1 million of ransomware payments allegedly received by YevgeniyPolyanin, proving that authorities can disrupt targets even when they are unable to take them into custody.
"Vasinskyi’s arrest shows how quickly we will act along our international partners in identifying, locate and apprehend suspected cybercriminals no matter their location," Attorney General Merrick Galrland stated at a Monday press conference. Ransomware attacks are fuelled by criminal profits. That is why we aren't just following those responsible. We also have a commitment to capture their illicit profits, and return them to victims whenever possible.
The indictments against Vasinskyi, Polyanin and others don't go into much detail. Vasinskyi was allegedly involved in REvil when he replied to an advertisement posted on a Russian hacker forum looking for ransomware affiliates. In exchange for a share of the proceeds, ransomware developers often make what amounts to franchise deals for their hacking software. This is similar to the McDonald's model for cybercrime. Vasinskyi is accused in the attack on Kaseya. The virus then spread through software updates to other customers. The attack ultimately affected as many as 1,500 businesses.
Polyanin, a 28-year-old, is also accused in the ransomware attack on multiple victims by REvil. Indictment claims that Polyanin was at least partially responsible for ransomware attacks that targeted many local Texas government agencies in August 2019. Polyanin, who is currently in Russia, is believed to be linked to at least 3,000 ransomware attack victims that collectively tried to extort $13 million.
Allan Liska, analyst at security firm Recorded Future, says that this is "great news all around." It reminds ransomware hackers that they are not safe even in Russia. "If we can't arrest your, we'll take you money." Even ransomware operators sometimes have to use services beyond Russia, which is where law enforcement has the power.
Combining recently announced sanctions by the Treasury Department with a reward offered by the State Department for information on the DarkSide ransomware operators, Monday's Justice Department action reflects the Biden administration’s "whole government" ransomware mantra.