The U.S. Department of Justice on Monday confirmed the indictment of two alleged REvil members arrested in Poland last month, along with the arrests of two others in Romania last week, and one in Kuwait. According to the government, all five are responsible for thousands of ransomware attacks that fetched millions of dollars in ransom earnings.
Days after the U.S. Department of State announced a $10 million bounty for information about the leaders of the DarkSide ransomware gang, the Department of Justice announced the arrest of five alleged members of the REvil ransomware gang which was involved in the Kaseya hack. The arrests were made by different law enforcement agencies coordinating under an international investigation dubbed GoldDust.
Under the investigation, the first two arrests of REvil ‘actors’ were made by Romanian authorities last week on November 4, followed by a third REvil associate being arrested in Kuwait on the same day. What followed, it seems, is a cascading effect on two other dominoes of the international cybercriminal syndicate, both of whom, following their arrests in Poland by Europol last month, were indicted yesterday.
The DoJ said $6.1 million were seized from one Yevgeniy Polyanin, a Russian national, when the funds were traced back to alleged ransom payments from REvil operations. The other indictment was against Ukrainian national Yaroslav Vasinskyi, who besides perpetrating the July 2021 ransomware attack against Kaseya, also victimized multiple other victims.
Much like the Colonial pipeline hack, the ransomware attack against Florida-based IT supplier Kaseya was quite profound. It impacted 1,500 downstream organizations along with 36,000 customers and thousands of MSPs.
This REvil bust, possibly underway for months, also coincides with the takedown of the cybercriminal group’s infrastructure in October. The recent developments should also assuage concerns by lawmakers from the U.S. House Committee on Oversight and Reform who sought answers on why the FBI, despite having a decryptor soon after the attack, didn’t share it with victims for 19 days.
REvil is a Russia-based ransomware group that infiltrated networks or systems, exfiltrated data to its servers, and encrypted victim systems before leaving a ransom note. Getting the access back, and assurance of the stolen data being deleted depended on whether or not the victim decides to pay the ransom, usually in Bitcoin or any other cryptocurrency amounting to millions of U.S. dollars.
Attorney General Merrick B. GarlandOpens a new window said, “Ransomware attacks are fueled by criminal profits. That is why we are not just pursuing the individuals responsible for those attacks. We are also committed to capturing their illicit profits and returning them, whenever we can, to the victims from whom they were extorted.â€
See More: REvil Ransomware Gang Taken Down Again, This Time for Good
So far, REvil’s total earnings from ransomware operations amount to a mind boggling $200 million, according to the DoJ. Besides targeting and victimizing Kaseya and downstream organizations, REvil also targeted Acer in March, Taiwanese supplier of Apple and other computer-makers Quanta in April, world’s largest processed meat supplier JBS Foods in May, among others, and even Sol Oriens, a U.S. Department of Energy subcontractor for nuclear weapons consulting.
It is unclear whether the five arrested were involved in all of these attacks. However, Garland mentioned that Vasinskyi was definitely involved in the Kaseya incident.
“The indictment charges that Vasinskyi and co-conspirators authored REvil software; installed it on victims’ computers, resulting in encryption of the victims’ data, including in the July 2 attack; demanded ransom payments from those victims; and then laundered those payments,†Garland added. “Two months after the indictment, on October 8, Vasinskyi crossed the border from Ukraine into Poland.â€
Meanwhile, Polyanin allegedly carried out nearly 3,000 ransomware attacks including those on law enforcement agencies and municipalities in Texas. The two suspects arrested in Romania on Nov 4 also perpetrated 5,000 ransomware extortion attacks and netted €500,000 (approx. $579,777). Vasinskyi is awaiting extradition from Poland to the U.S.
Besides REvil, DarkSide is also on the U.S. government’s radar for which the State Department announced a $10 million reward last week. Moreover, not only is the U.S. government just going after ransomware group members and affiliates, it is also after those (read cryptocurrency exchanges) that facilitate crypto to fiat financial transactions.
For example, in September, the Department of Treasury sanctioned Czech-registered but Russia-based cryptocurrency exchange Suex. The Treasury department also sanctioned another crypto exchange Chatex this week. Suex and Chatex have a common co-founder Egor Petukhovsky.
The FBI is leading the GoldDust investigation with assistance from the likes of the Cybersecurity and Infrastructure Security Agency (CISA), Europol, Eurojust, and law enforcement agencies from Romania, Canada, France, Netherlands, Poland, Germany, Switzerland, United Kingdom, the governments of Norway and Australia. Private companies Bitdefender, McAfee, and Microsoft were also involved in the operation.
Let us know if you enjoyed reading this story on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!