Global law enforcement is fast closing on one of the worst ransomware cybercrime operations known with a series of stings yesterday.
US-led authorities yesterday seized US$6.1 million in the sting against ransomware actors. Many of the ransom payments made to hackers are associated with the REvil gang.
Ukrainian authorities have also arrested a man charged with one of the most disruptive ransomware attacks to date.
US President Joe Biden said the money seizure and arrests made good on a warning to Russian President Vladimir Putin that his country would “hold cybercriminals accountable”.
‘Operation GoldDust’ saw authorities seize US$6.1 million from Yevgeniy Polyanin, 28, who is thought to reside in Russia.
Ransomware kingpin caught in sting is part of the REvil network
Polyanin has perpetrated more than 3000 ransomware attacks as part of the REvil criminal network. These attacks have generated at least US$13 million from extortion payments.
Yaroslav Vasinskyi, 22, also allegedly part of the REvil network since 2019, was arrested at the border crossing between Ukraine and Poland overnight.
He was charged by the US Department of Justice for orchestrating the high-profile ransomware attack against IT company Kaseya that ground to a halt the operations of thousands of organisations in July.
REvil and its affiliates are responsible for other high profile attacks including meat supplier JBS in June 2021.
Vasinskyi allegedly collected US$2.3 million from mostly managed service providers around the world that used Kaseya’s popular VSA server to provide remote IT management.
He denied wrongdoing during an interview with Polish prosecutors, according to tech publication Cyberscoop.
Polyanin and Vasinskyi face charges of fraud, accessing a protected computer without authorisation, and conspiracy with the purpose of money laundering.
The Kaseya crisis’ huge global impact
Authorities said Vasinskyi deployed the REvil ransomware within Kaseya’s VSA platform leading to a cascade that infected countless businesses around the world.
Many organisations paid ransoms in an unsuccessful bid to have their operations restored.
Among the hardest hit was Sweden’s largest supermarket chain, Coop, which was forced to close hundreds of stores and give away food for free after being unable to take payments.
The accused hacker demanded US$50 million to unlock all ransomware-affected computers and anywhere from US$45,000 to US$5 million to unlock individual affected systems.
Current sting among many ongoing global actions against ransomware actors
The charges are the latest strike in a series against REvil and other ransomware operators. The REvil gang’s operations went offline last week in what appeared to be a tightening law enforcement noose around the group.
Ransomware gangs have operated largely unchecked for years, becoming increasingly audacious and organised with ransom demands increasing from thousands to millions of dollars.
An affiliate of the ransomware group then known as DarkSide appeared to have gone too far in May by attacking the US Colonial Pipeline company, causing the major east coast US oil distributor to shutter services.
The US then issued warnings that it would consider retaliatory hacking against the ransomware groups with President Biden announcing tougher penalties for ransomware-related crimes.
Federal Bureau of Investigations director Christopher Wray said in court documents unsealed overnight that the agency worked “creatively and relentlessly” against REvil.
“Ransomware groups like them pose a serious, unacceptable threat to our safety and our economic well-being,” he said.
“We will continue to broadly target their actors and facilitators, their infrastructure, and their money, wherever in the world those might be.”
A century of jail to come?
Polyanin and Vasinskyi face maximum penalties of 115 and 145 years in prison, respectively, if convicted of all counts.
The charges came hours after a separate joint ransomware crackdown by Europol that resulted in the arrests of seven alleged REvil and GandCrab ransomware affiliates in South Korea, Romania, and Kuwait.
The US also sanctioned cryptocurrency portal Chatex for allegedly helping ransomware gangs to launder ransom payments.
Authorities have offered bounties of US$10 million and US$5 million for information leading to the arrest of core REvil gang members and affiliates, respectively.
