US Charges 2 Suspected Major Ransomware Operators

WASHINGTON (AP) — A suspected Ukrainian hacker has been arrested and charged in the United States in connection with a string of costly ransomware attacks, including one that snarled businesses around the globe on the Fourth of July weekend, U.S. officials said Monday.

Yaroslav Vasinskyi was arrested last month after traveling to Poland, according to the Justice Department, which also announced the recovery of $6.1 million in ill-gotten funds from a Russian national who was separately charged and is wanted by law enforcement.

Both men are alleged to be affiliated with the Russia-based REvil ransomware gang, which has been blamed for hacks that have extorted at least $200 million in payments, said Attorney General Merrick Garland. Victims in the last year have included the world’s largest meat processor, JBS SA, and a software company called Kaseya, in an holiday weekend attack that the company said affected between 800 and 1,500 businesses.

The involvement of multiple agencies across the Biden administration amounted to perhaps the most high-profile response to date to a blitz of ransomware attacks that officials say continues to threaten national security and the economy. Deputy Attorney General Lisa Monaco appeared to foreshadow the announcement in an interview with The Associated Press last week, saying that “in the days and weeks to come, you’re going to see more arrests.”

Speaking at a news conference Monday, she said, “We have been using every tool at our disposal and leveraging every authority we have to hunt down and hold accountable cybercriminals wherever they seek to hide.”

The indictment accuses Vasinskyi, 22, of conducting deploying REvil ransomware, also known as Sodinokibi, against victims around the world — including the massive Kaseya attack. Yevgeniy Polyanin, a Russian national, is charged in a separate indictment that accuses him of participating in a spate of attacks and leaving behind electronic notes on victims’ computers to help them make ransom payments and get their files decrypted.

Both indictments were filed in federal court in the Northern District of Texas, a state where REvil ransomware compromised the computer networks of some two dozen local government agencies in the summer of 2019.

The U.S. is seeking Vasinskyi’s extradition from Poland to Texas. Though it successfully recovered from $6 million in ransomware payments from Polyanin, the FBI is continuing to seek his arrest, and the State Department on Monday announced a $10 million reward for anyone with information leading to the capture of any leaders of the REvil group.

The Treasury Department, meanwhile, announced sanctions against the pair as well as what it said was a virtual currency exchange, Chatex, was used by ransomware gangs.

President Joe Biden commended the government’s actions, saying he was making good on his commitment to Russian leader Vladimir Putin that the U.S. would hold cyber criminals accountable. He said the U.S. was “bringing the full strength of the federal government to disrupt malicious cyber activity and actors” and to “bolster resilience at home.”

The announcement of the criminal charges came hours after European law enforcement officials revealed the results of a lengthy, 17-nation operation known as GoldDust. As part of that operation, Europol said, a total of seven hackers linked to REvil and another ransomware family have been arrested since February, including two last week by Romanian authorities.

The Justice Department has tried multiple ways to address a ransomware wave that it regards as a national security and economic threat. Arrests of foreign hackers are significant for the Justice Department since many of them operate in the refuge of countries that do not extradite their own citizens to the U.S. for prosecution.

“There’s lots of reasons why people travel, and I can’t get into the specific reasons why Mr. Vasinskyi traveled, but boy are we glad he did,” FBI Director Christopher Wray said Monday.

Even so, the ransomware threat has been hard to curb. Monaco told the AP last week that even since Biden’s admonitions to Putin last summer to rein in ransomware gangs, “we have not seen a material change in the landscape.”

Garland declined to answer directly when asked if there was evidence that the Russian government was aware of REvil’s activities, but said, “we expect and hope that any government with where of these ransomware actors is residing will do everything it can to provide that person to us for prosecution.”

The $6.1 million seizure in this case builds on a similar success from months ago.

The Justice Department in June seized $2.3 million in cryptocurrency from a payment made by Colonial Pipeline following a ransomware attack that caused the company to temporarily halt operations, creating fuel shortages in parts of the country.

___

Suderman reported from Richmond, Virginia. Associated Press writer Jake Bleiberg in Dallas contributed to this report.