U.S. charges Ukrainian and Russian in major ransomware spree, seizes $6
million
Send a link to a friend
 [November 09, 2021] By
Mark Hosenball, Kanishka Singh and Joseph Menn
(Reuters) - The U.S. Justice Department
charged a Ukraine national and a Russian in one of the worst ransomware
attacks against American targets, court filings showed on Monday.
The latest U.S. actions follow a slew of measures taken to combat a
surge in ransomware that has struck several big companies, including an
attack on the largest fuel pipeline in the United States that crippled
fuel delivery for several days.
An indictment accused Ukrainian Yaroslav Vasinskyi, who was arrested in
Poland last month, of breaking into Florida software provider Kaseya
over the July 4 weekend.
From there, he and accomplices simultaneously distributed REvil
ransomware to as many as 1,500 Kaseya customers, encrypting their data
and forcing some to shut down for days, it said.
Vasinskyi is charged with breaking into the victim companies and
installing encryption software, developed by the core REvil group. REvil
directly handled the ransom negotiations and split the profits with
affiliates like Vasinskyi. This model allowed the notorious ransomware
gang to extort numerous companies for cryptocurrency.
Kimberly Goody, director of financial crime analysis at security company
Mandiant, said targeting affiliates could be more effective than going
after the core gangs, because their skills are more prized than
encryption software, which is ubiquitous. Some affiliates also work with
multiple gangs.
The arrest was part of a major ongoing sweep against key ransomware
figures coordinated by the FBI, Europol and national police
organizations throughout Europe, with help from private security
companies.
REvil, also involved in an attack against top global meatpacker JBS SA,
was penetrated by the joint operation, Reuters reported previously, and
authorities recovered $6 million in ransom payments.
REvil announced it was shutting down last month, as did a rival gang
involved in the hack of Colonial Pipeline.
Vasinskyi and another alleged REvil operative, Russian national Yevgeniy
Polyanin, were charged in U.S. District Court for the Northern District
of Texas with conspiracy to commit fraud and conspiracy to commit money
laundering, among other offenses.
The Treasury Department said the two face sanctions for their role in
ransomware incidents in the United States, as well as a virtual currency
exchange called Chatex "for facilitating financial transactions for
ransomware actors."
Latvian and Estonian government agencies were vital to the
investigation, the Treasury said.
[to top of second column] |
FBI Director Christopher Wray is flanked by U.S. Attorney General
Merrick Garland and Deputy Attorney General Lisa Monaco as they
discuss charges against a suspect from Ukraine and a Russian
national over a July ransomware attack on an American company,
during a news conference at the Justice Department in Washington,
U.S., November 8, 2021. REUTERS/Jonathan Ernst
"International partnerships can disrupt bad actors," former U.S. civilian cyber
defense Chris Krebs said on Twitter.
Deputy Attorney General Lisa Monaco credited Kaseya for its help in the
investigation. "We are here today because in their darkest hour, Kaseya made the
right choice and they decided to work with the FBI... in doing so, we were able
to identify and help many victims of this attack."
The Treasury said more than $200 million in ransom payments were paid in Bitcoin
and Monero.
Vasinskyi, 22, was being held in Poland pending U.S. extradition proceedings,
while Polyanin, 28, remains at large. Russia's tolerance of major gangs
targeting U.S. critical industry has been a flashpoint in relations with the
Biden administration.
President Joe Biden said on Monday that his administration has taken "important
steps to harden" critical U.S. infrastructure against cyberattacks. "When I met
with President Putin in June, I made clear that the United States would take
action to hold cybercriminals accountable. That’s what we have done today", he
said in a statement released by the White House.
Although discussions continue, security experts and most U.S. officials said
they had not seen an overall decrease in ransomware attacks. Encryption software
used for such attacks is freely available.
Reuters could not reach legal representatives for the two men accused on Monday,
and no attorneys for them were listed in court filings.
The indictment said the Ukrainian hacker and other conspirators started
deploying hacking software around April 2019 and regularly updated and refined
it. It said he also laundered money obtained through the extortion scheme.
Europol said earlier on Monday that Romanian authorities on Nov. 4 arrested two
other individuals suspected of attacks deploying the REvil ransomware. Officials
in South Korea previously arrested three more people associated with REvil and
two related strains of ransomeware, Europol added.
Twelve suspects believed to have mounted ransomware attacks against companies or
infrastructure in 71 countries were "targeted" in raids in Ukraine and
Switzerland, Europol said on Friday.
(Reporting by Kanishka Singh in Bengaluru, Mark Hosenball, Diane Bartz and Susan
Heavey in Washington, and Joseph Menn in San Francisco; Editing by Dan Grebler)
[© 2021 Thomson Reuters. All rights
reserved.] Copyright 2021 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.
Thompson Reuters is solely responsible for this content. |
