The US Department of Justice has charged
a Ukrainian national for his alleged role in a July 2 cyberattack on Kaseya that
resulted in the REvil ransomware sample being deployed on some 1,500 of the company’s
downstream customers.
Yaroslav Vasinskyi, 22, was arrested in Poland on Oct. 8 on a US
arrest warrant. He is currently awaiting extradition to the US, where he faces additional
charges related to ransomware attacks against numerous other companies. If convicted
on all charges, Vasinskyi faces a maximum sentence of 115 years in prison.
In unsealing the indictment against Vasinskyi on Monday, the DoJ said it
had also seized $6.1 million in ransom payments that allegedly were received by
another REvil operator — Russian national Yevgeniy Polyanin, 28. The DoJ has charged
Polyanin with carrying out ransomware attacks against businesses and government
entities in Texas back in August 2019. Polyanin, who is currently still at large
abroad, faces a maximum sentence of 145 years if convicted on all charges.
Vasinskyi is one of five individuals who have been arrested
worldwide since February 2021 for allegedly deploying REvil (aka Sodinokibi) on
systems belonging to organizations in multiple countries, including the US, Germany,
and France. Two were arrested Nov. 4 in Romania, two were arrested in South Korea,
and Vasinskyi was arrested in October in Poland. It’s not clear when the two REvil-related
arrests in South Korea happened. These five are believed to have been responsible
for deploying REvil on systems belonging to some 5,000 organizations.
In addition to the arrests related to REvil, international law enforcement
authorities have arrested two other individuals for deploying Gandcrab, the predecessor
to REvil.
Together, the seven suspects are believed responsible for ransomware
attacks on some 7,000 victims worldwide that resulted in a ransom demands totaling
over $231 million.
The arrests are the result of a 17-country, Romania-led operation
dubbed GoldDust that was originally put into motion back in 2018 to take out the
operators of Gandcrab — one of the most prolific ransomware samples to date, with
more than a million victims. In May 2021, law enforcement teams from France, Germany,
Romania, and Europol expanded GoldDust with a joint investigation team focused on
tracking down the operators of REvil.
The arrests and indictments mark a major — though most likely fleeting
— win for law enforcement authorities against a major ransomware operator. The believed-to-be-Russia-based
operators have made the malware available to other threat actors as part of a ransomware-as-a-service
model. Under the model, attackers — or affiliates — that use the malware pay a cut
of any ransoms they collect to the original authors.
REvil has been used in attacks that have cost US organizations tens
of millions of dollars over the past year. The attack on Kaseya alone involved a
ransom demand of some $70 million. Another attack, against meat supplier JBS, fetched
the attackers a whopping $11 million earlier this year.
Hank Schless, senior manager, security solutions at Lookout, says
the arrests show that law enforcement is getting better about catching cybercriminals.
But whether these arrests have any deterring factors remains to be seen. “It
will depend on the severity of the sentencing and subsequent prison sentences,”
Schless says. Criminals convicted of financially motivated cybercrime like ransomware
appear to be garnering anything from a five- to 20-year sentence, he notes. “The
broader reach of the Kaseya ransomware attack could bring a much heavier sentence
for those involved,” he predicts.
Rick Holland, chief information security officer and vice president
of strategy at Digital Shadows, says the arrests are a good thing. However, cybercrime
always finds a way, he notes. Other criminal actors will be waiting in the wings
to fill the void created by the REvil arrests, Holland notes. The law enforcement
action will likely also push threat actors into improving their operational security
and tradecraft.
Ultimately though, arrests and sanctions alone aren’t enough to combat
ransomware. “We are addressing symptoms and not the root causes,” Holland
says. “Beyond deterrents and disruption, we must also build resiliency into
the companies targeted by criminals — and state actors,” he says. “The
goal should be to make it harder for criminals to compromise a victim.”
