Ukrainian national Yaroslav Vasinskyi was arrested in Poland on October 8 under a sealed US Justice Department indictment, accusing him of committing the Kaseya ransomware attack in July this year and trying to extort a $70 million ransom.
Kaseya’s VSA remote monitoring and management tool was used as an attack vector to inject ransomware into the systems of up to 1,500 end-customers of some 30 managed service providers (MSPs) at the start of the USA’s Independence Day weekend on July 2 this year.
US Attorney General Merrick Garland spoke at a press conference on November 8 and said: “Vasinskyi crossed the border from Ukraine into Poland. There, upon our request, Polish authorities arrested him pursuant to a provisional arrest warrant. We have now requested that he be extradited from Poland to the United States pursuant to the extradition treaty between our countries.”
Garland said that: “On July 2, the multinational information software company Kaseya and its customers were attacked by one of the most prolific strains of ransomware, known as REvil, or Sodinokibi. To date REvil ransomware has been deployed on approximately 175,000 computers worldwide, with at least $200 million paid in ransom.”
He added that: “The Justice Department has seized $6.1 million tied to the ransom proceeds of another alleged REvil ransom where attacker, Russian national Yevgyeniy Polyanin … [who] is alleged to have conducted approximately 3,000 random ransomware attacks. … Polyanin ultimately extorted approximately $13 million from his victims.”
Vasinskyi and Polyanin could face sentences of up to 100 years in jail if convicted in the USA.
Kaseya’s CISO hire
Separately Kaseya has appointed Jason Manar as Chief Information Security Officer (CISO) in October. Manar was assistant special agent in charge for the FBI overseeing cyber, counterintelligence, intelligence and the language service programs for the San Diego office.
Fred Voccola, Kaseya’s CEO, said: “We worked closely with him during the July attack on Kaseya’s VSA customers and were so impressed with his qualifications and handling of the situation that we asked him to join Kaseya as CISO. We only hire the best, and Jason is top-of-the-line.”
Commenting on the VSA ransomware attack, Manar said: “Kaseya provided the most transparency of any company I have seen, by delivering near-real-time information to its customers. I was amazed to see the level of commitment, care, and integrity Kaseya showed; it surpassed anything I had seen in 16 years.”
Wider anti-REvil activities
Interpol has announced that a four-year operation across five continents has disrupted a ransomware cybercrime gang, with the arrest of seven suspects. The operation was codenamed Quicksand (or GoldDust) and carried out by 19 law enforcement agencies in 17 countries. They were focussed on a global threat picture about attacks by ransomware software families, particularly GandCrab and REvil-Sodinokibi, and suspects behind them.
The suspects arrested during Operation Quicksand are suspected of perpetrating tens of thousands of ransomware attacks and demanding more than €200 million in ransom. Interpol said private partners Trend Micro, CDI, Kaspersky Lab and Palo Alto Networks contributed to the investigations by sharing information and technical expertise.
Bitdefender supported operations by releasing tailor-made decryption tools to unlock ransomware and enable victims to recover files. This enabled more than 1,400 companies to decrypt their networks, saving them almost €475 million in potential losses. KPN, McAfee, and S2W helped investigations by providing cyber and malware technical expertise to Interpol and its member countries.
The Europol organisation, which participated in Operation Quicksand/GoldDust, said that, on November 4, Romanian authorities arrested two individuals suspected of cyber-attacks by deploying Sodinokibi/REvil ransomware. They are allegedly responsible for 5,000 infections, which in total pocketed €500,000 in ransom payments. Since February 2021, law enforcement authorities have arrested three other affiliates of Sodinokibi/REvil and two suspects connected to GandCrab.
Additionally, in February, April and October this year, authorities in South Korea arrested three affiliates involved in the GandCrab and Sodinokibi/REvil ransomware families, which had more than 1,500 victims.
On November 4, Kuwaiti authorities arrested another GandGrab affiliate, meaning a total of seven suspects linked to the two ransomware families have been arrested since February 2021. They are suspected of attacking about 7,000 victims in total.
US anti-ransomware vigour
Reported ransomware payments in the United States so far have reached $590 million in the first half of 2021, compared to a total of $416 million in 2020.
US president Joe Biden met Russian president Vladimir Putin in June, and said that the USA would take action to stop the activities of international cyber-criminals. What we see with the US Justice Department, Interpol and Europol activities above is that pledge put into action.
The US Department of State announced a Transnational Organized Crime Reward offer of up to $10 million for information leading to the identification or location of any individual(s) who hold a key leadership position in the Sodinokibi/REvil ransomware variant transnational organised crime group.
It also also announced a reward offer of up to $5 million for information leading to the arrest and/or conviction in any country of any individual conspiring to participate in or attempting to participate in a Sodinokibi variant ransomware incident.
The US Treasury Department announced that it was taking actions against Chatex, a virtual currency exchange for facilitating financial transactions for ransomware actors. Analysis of Chatex’s known transactions indicates that over half are directly traced to illicit or high-risk activities such as darknet markets, high-risk exchanges, and ransomware. Chatex has direct ties with Suex, using Suex’s function as a nested exchange to conduct transactions. Suex was sanctioned on September 21, 2021, for facilitating financial transactions for ransomware actors.
Latvian government authorities have suspended with immediate effect the operations of Chatextech; assessed a fine for breaches of company registration and business conduct laws and regulations; and will identify current and former Chatextech board members — none of whom were Latvian nationals — in Latvia’s registry of high-risk individuals.
Comment
It is now clear that the US State Department, Treasury Department, Interpol, Europol, South Korea and Kuwait are acting in a concerted and organised manner to identify, interdict, arrest and hopefully convict the perpetrators of ransomware — wherever they are.
Such activity will be welcomed by all victims of ransomware attacks.
