Read the original article on BleepingComputer
The United States Department of Justice today has announced charges against a REvil ransomware affiliate responsible for the attack against the Kaseya MSP platform on July 2nd and seizing more than $6 million from another REvil partner.
The suspect is 22-year old Ukrainian national Yaroslav Vasinskyi, arrested for cybercriminal activity on October 8 at the behest of the U.S. when trying to enter Poland from his native country.
Vasinskyi is known by several aliases (Profcomserv, Rabotnik, Rabotnik_New, Yarik45, Yaraslav2468, and Affiliate 22). He is one of the seven REvil ransomware affiliates that have been apprehended so far, in ample international efforts to combat the ransomware threat.
Ransom demands of over 760 million
While the news of Vasinskyi getting arrested did not go unnoticed, the exact reason was unclear until his indictment and arrest warrant were unsealed on November 5.
In a press conference today, the DoJ announced the charges against Vasinskyi, underlining his involvement in the Kaseya attack that impacted around 1,500 business worldwide.
REvil ransomware, also known as Sodinokibi, is the successor of GandCrab and had an initial test run in April 2019 in an attack that exploited a vulnerability in WebLogic Server.
According to the indictment, Vasinskyi is a long-time affiliate of the REvil ransomware operation, being part of it since at least March 1st, 2019, and deployed about 2,500 attacks against businesses worldwide.
The investigation revealed that Vasinskyi’s ransom demands amounted to $767 million but victims paid only $2.3 million.
In contrast, the entire REvil ransomware operation received more than $200 million since it started activity and encrypted at least 175,000 computers.
Of all the companies attacked, the one on Kaseya managed service provider was the biggest, the ransom demand being $70 million to decrypt all the systems.
This incident acted as a catalyst for the U.S. to start an ample operation against the ransomware threat in cooperation with law enforcement across the world.
The U.S. is now requesting Vasinskyi's extradition and has unsealed the charges against him.
Seizing ransomware money
The DoJ also announced that law enforcement seized $6.1 million from another REvil ransomware affiliate, Yevgeniy Polyanin, who is currently at large.
Polyanin is believed to have perpetrated about 3,000 ransomware attacks against various organizations, extorting around $13 million from victims.
Previously, the U.S. has recovered $4.4 million of the ransomware payment that Colonial Pipeline paid to the DarkSide ransomware gang following an attack that lead to temporary gas shortages.
The charges against Polyanin are the same as for Vasinskyi:
- one count of conspiracy to commit fraud and related activity in connection with computers
- nine counts of intentional damage to a protected computer
- one count of conspiracy to commit money laundering
In about five months, the DoJ's efforts have resulted in arresting seven affiliates of the REvil ransomware operation.
On November 4, authorities in Romania arrested two alleged REvil ransomware partners. A GandCrab affiliate was arrested on the same day in Kuwait. Other three individuals were apprehended in February, April, and October.