The Justice Department continues to attack and dismantle global ransomware extortion organizations. Business surveys often confirm that executives are hyper-focused on the risk of ransomware attacks against businesses. Interestingly, government regulators have focused on ransomware scenarios to ensure that regulatory restrictions on sanctions and other restrictions are not violated. The message behind DOJ and regulatory interests is clear – if attacked, notify law enforcement right away and cooperate in an effort to defend against a cyber-attack.
Eventually, Congress may step in and pass legislation mandating law enforcement notification and cooperation in response to ransomware attacks. Congress has tried to pass such legislation for years but has always failed when conflicting interests bog down any real solutions.
In its latest high profile prosecution announced by the Ransomware and Digital Extortion Task Force, DOJ arrested two foreign nationals, Yaroslav Vasinski, a Ukrainian national, and Yevgeniy Polyanin, a Russian national, who depoloyed the Sodinokibi/REvil ransomware. Vasinski was charged with launching ransomware attacks against multiple victims, including the July 2021 attack against Kasyea, a global software company. Polyanin was charged with multiple ransomware attacks, including businesses and government entities in Texas in August 2019. DOJ also announced the seizure of $6.1 million in funds paid in to Polyanin as ransom payments. DOJ’s latest action followed arrest of two other Romanian nationals who were part of the Sodinokibi/REvil conspiracy.
Vasinski and Polyanin are responsible for launching one of the Internet’s most virulent code, authored by REvil, to hijack victim computers. The indictments charged Vasinski and Polyanin with accessing internal computer networks to deploy REvil and encrypt data on the computers of victim companies.
Vasinski was responsible for a July 2 ransomware attack against Kasyea. He caused the deployment of malicious code throughout a Kaseya product that caused Kasyea production functionality to deploy REvil ransomware to endpoints on Kasyea customer networks. After deployment, ransomware was executed on those computers, thereby disabling Kasyea software and data on organizations around the world.
The defendants left electronic notes in the form of a text file on the victims’ computers. These notes included a web address leading to an open-source privacy network known as Tor, and a public address that users could visit to recover their files. When users visited either website, the victims were provided a ransom demand and provided a virtual currency address to pay the ransom. If a victim paid the demand, the defendants provided a decryption key to access their files. If a victim refused to pay the ransom, the defendants posted the stolen data on a public website and the victims were unable to access their files.
Vasinski and Polyanin were charged in separate indictments with conspiracy to commit fraud, substantive counts of damage to protected computers and conspiracy to commit money laundering. Vasinski was arrested on October 8, 2021, in Poland. He is pending extradition to the United States. Polyanin was not apprehended.
The prosecution was the result of a coordinated international law enforcement effort conducted by the U.S., Ukraine, Romania, Poland, Canada, Netherlands, Norway and Australia, the U.K., Germany and Switzerland, along with private businesses, including BitDefender, McAfee, and Microsoft.