November 8 (Reuters) – The U.S. Department of Justice indicted a Ukrainian national and a Russian in one of the worst ransomware attacks against U.S. targets, court documents revealed Monday.
The latest US actions follow a series of measures taken to tackle a wave of ransomware that has hit several large companies, including an attack on the largest fuel pipeline in the United States that crippled fuel delivery for days. .
An indictment accused Ukrainian Yaroslav Vasinskyi, arrested in Poland last month, of breaking into Florida software provider Kaseya over the weekend of July 4.
From there, he and his accomplices simultaneously distributed the REvil ransomware to up to 1,500 Kaseya customers, encrypting their data and forcing some to shut down for days, he said. Read more
Vasinskyi is accused of breaking into the victim companies and installing encryption software, developed by the central group REvil. REvil directly handled the ransom negotiations and shared the profits with affiliates like Vasinskyi. This model has allowed the notorious ransomware gang to extort numerous companies for cryptocurrency.
Kimberly Goody, director of financial crime analysis at security firm Mandiant, said targeting affiliates may be more effective than attacking mainstream gangs because their skills are more prized than encryption software, that are ubiquitous. Some affiliates also work with multiple gangs.
The arrest was part of an ongoing sweeping sweep against key ransomware perpetrators coordinated by the FBI, Europol and national police organizations across Europe, with the help of private security companies.
REvil, also involved in an attack on the world’s largest meat packer JBS SA, was penetrated by the joint operation, Reuters previously reported, and authorities have recovered $ 6 million in ransoms.
REvil announced it was shutting down last month, as did a rival gang involved in the Colonial Pipeline hack.
Vasinskyi and another alleged REvil agent, Russian national Yevgeniy Polyanin, have been charged by the U.S. District Court for the North Texas District with conspiracy to commit fraud and conspiracy to commit money laundering, among other offenses.
The Treasury Department said the pair face penalties for their role in ransomware incidents in the United States, as well as a virtual currency exchange called Chatex “to facilitate financial transactions for market players. ransomware “.
Latvian and Estonian government agencies played a key role in the investigation, the Treasury said.
“International partnerships can confuse bad actors,” former US cyber defense civilian Chris Krebs said on Twitter.
Deputy Attorney General Lisa Monaco credited Kaseya for her assistance in the investigation. “We are here today because in their darkest hour Kaseya made the right choice and they decided to work with the FBI … in doing so, we were able to identify and help many victims of this attack. . “
The Treasury said more than $ 200 million in ransoms had been paid in Bitcoin and Monero.
Vasinskyi, 22, was detained in Poland pending US extradition proceedings, while Polyanin, 28, is still at large. Russia’s tolerance for major gangs targeting America’s critical industry has been a flashpoint in dealing with the Biden administration.
President Joe Biden said on Monday that his administration had taken “significant steps to strengthen” critical US infrastructure against cyber attacks. “When I met President Putin in June, I made it clear that the United States would take action to hold cybercriminals to account. This is what we did today,” he said. said in a statement released by the White House.
While discussions continue, security experts and most U.S. officials have said they haven’t seen an overall decrease in ransomware attacks. The encryption software used for such attacks is freely available.
Reuters was unable to reach legal representatives for the two accused men on Monday, and no attorneys for them have been listed in court documents.
The indictment states that the Ukrainian hacker and other conspirators started deploying hacking software around April 2019 and regularly updated and refined it. He said he also laundered money obtained through the extortion program.
Europol said earlier on Monday that Romanian authorities arrested two other people on November 4 suspected of attacks using the REvil ransomware. South Korean officials have previously arrested three other people associated with REvil and two associated strains of ransomeware, Europol added.
Twelve suspects suspected of launching ransomware attacks against businesses or infrastructure in 71 countries have been “targeted” in raids in Ukraine and Switzerland, Europol announced on Friday. Read more
Reporting by Kanishka Singh in Bengaluru, Mark Hosenball, Diane Bartz and Susan Heavey in Washington and Joseph Menn in San Francisco; Editing by Dan Grebler
Our Standards: Thomson Reuters Trust Principles.