In early July, heading into the holiday weekend, a ransomware attack against the IT management firm Kaseya incapacitated hundreds of businesses, their data encrypted by the notorious REvil ransomware group. Now, US authorities have announced a development as unprecedented as the incident itself: The alleged perpetrator, a Ukrainian national, was arrested in October and is currently awaiting extradition from Poland.
Ransomware gangs have operated with relative impunity over the last few years, in part because so many of them are based in Russia and the Kremlin has steadfastly turned a blind eye. Monday’s Department of Justice announcement, though, shows that the hybrid approach law enforcement has landed on can work. The arrest and pending extradition of 22-year-old Yaroslav Vasinskyi shows that officials are capable of apprehending key players when they slip up. And another major announcement, the seizure of $6.1 million in alleged ransomware payments received by Russian national Yevgeniy Polyanin, shows that authorities can disrupt their targets even when they can't take them into custody.
“Vasinskyi’s arrest demonstrates how quickly we will act alongside our international partners to identify, locate, and apprehend alleged cybercriminals no matter where they are located,” Attorney General Merrick Garland said at a press conference on Monday. “Ransomware attacks are fueled by criminal profits; that is why we are not just pursuing individuals responsible for those attacks. We are also committed to capturing their illicit profits and returning them whenever we can to the victims from whom they were extorted.”
The indictments against Vasinskyi and Polyanin don’t go into great detail. Vasinskyi allegedly became involved with REvil most recently in December 2019, when he responded to an advertisement on a Russian hacker forum seeking ransomware affiliates. The people who write ransomware code often make what are essentially franchise deals for their hacking tools in exchange for a cut of the proceeds—the McDonald's model for cybercrime. Vasinskyi is accused of carrying out the attack on Kaseya, which in turn spread to a number of the company’s customers through software updates. Ultimately, the attack impacted as many as 1,500 businesses.
Polyanin, who is 28 years old, is also accused of deploying REvil ransomware against multiple victims. The indictment alleges that he was responsible, at least in part, for a ransomware spree that targeted a large number of local Texas government agencies in August 2019. Polyanin, who lives in Russia, is still at large but is thought to have links to 3,000 ransomware attacks that have collectively attempted to extort at least $13 million from victims.
“This is great news all the way around,” says Allan Liska, an analyst for the security firm Recorded Future. “It reminds ransomware actors that they aren’t safe, even in Russia. ‘If we can’t arrest you, we’ll take your money.’ Even ransomware actors have to use services outside of Russia sometimes, and that’s where law enforcement has power.”
Combined with recently announced sanctions from the Treasury Department and a reward from the State Department for information about the notorious DarkSide ransomware actors, the Justice Department’s action on Monday reflects the Biden administration's “whole of government” ransomware mantra.
Europol also announced on Monday that Romanian law enforcement recently arrested two suspected REvil affiliates who allegedly perpetrated 5,000 ransomware attacks and extorted close to $600,000 from victims. Justice Department officials referenced this and other recent global law enforcement operations in their remarks on Monday.
"One thing that stood out to me was calling out smaller countries like Romania and Estonia for their cooperation," Recorded Future's Liska says. "I think this is a good strategy to further isolate Russia."
Officials also praised Kaseya on Monday for cooperating with law enforcement in the wake of the company’s attack. This may indicate an effort to strike a difficult but potentially vital balance. The US government has long discouraged victims from paying ransoms, but the hardline approach is one factor that has made victims wary of coming forward and potentially limiting their options. While not encouraging payment, officials have seemingly refocused on encouraging victims to come forward and collaborate so law enforcement can take quick action against perpetrators.
“I’m cautiously optimistic because of the broad nature of this announcement,” says Katie Nickels, director of intelligence at the security firm Red Canary. “REvil was honestly already on the downswing after the Kaseya incident, but there are still other groups that are really bad right now. Adversaries are going to be looking to see is this a limited action or can law enforcement continue imposing costs?”
REvil and its affiliates were on a tear earlier this year, targeting the global meat purveyor JBS and others before the Kaseya attack. That high-profile incident, coupled with intense scrutiny of the Russian ransomware gang DarkSide, largely forced REvil underground over the summer. The group seemingly began to reemerge this fall but was recently knocked offline by an international law enforcement operation that compromised and took down the gang's digital infrastructure.
If officials can keep it up, Nickels and other researchers say ransomware dynamics really could shift for the better. On Monday, the Justice Department seemed keen to establish such a track record as well.
“Today, and now for the second time in five months, we announce the seizure of digital proceeds of ransomware deployed by a transnational criminal group,” Attorney General Garland said. “This will not be the last time.”
For now, though, the steady drumbeat of ransomware attacks continues, thanks to an array of prolific attackers who haven't yet been caught in law enforcement's crosshairs. It’s not a foregone conclusion that officials will be able to continue applying pressure and racking up wins. But for the first time, agencies within the US government and beyond seem clear about a strategy, and focused on executing it.