November 8, 2021, may have been the most significant single day in the United States' "whole of government" anti-ransomware campaign. The Department of Justice, Department of the Treasury, and Department of State all announced major actions—most of which were targeted against the REvil criminal hacking group.
Since 2019, REvil (also known as Sodinokibi) has been one of the most notorious and prolific perpetrators of ransomware attacks, including the attack against international meat processor JBS in May 2021 and the attack targeting Kaseya and up to 1,500 users of the company's VSA software in July 2021.
We summarize the Monday's major activities here.
Department of Justice: Indictments Against REvil Leaders and Seizure of $6.1M
The Department of Justice announced indictments in the Northern District of Texas against two individuals associated with REvil: Yaroslav Vasinskyi of Ukraine and Yevgeniy Polyanin of Russia. The two are charged with several counts of conspiracy to commit fraud, violate the Computer Fraud and Abuse Act, and launder money.
Vasinskyi was arrested in Poland on October 8, 2021, and is being held there as the United States seeks his extradition. The federal government alleges that Vasinskyi was responsible for REvil's attack against Kaseya, headquartered in Austin, Texas, among other attacks dating back to 2019.
Polyanin, who has not been detained, is alleged to have perpetrated attacks against numerous companies in Texas throughout 2019. In addition to the indictments against Polyanin, the Department of Justice announced the seizure of $6.1 million in funds traceable to alleged ransom payments from his account with FTX, a cryptocurrency exchanged based in the Bahamas.
The cases against Vasinskyi and Polyanin are part of the Department of Justice's Ransomware and Digital Extortion Task Force created last spring. The Department of Justice credited an international effort with the arrest of Vasinskyi and the indictments and the seizure of Polyanin's funds.
Also on November 8, 2021, the European Union Agency for Law Enforcement Cooperation (commonly known as "Europol") announced that Romanian authorities arrested two other individuals for suspected involvement with REvil ransomware.
Department of the Treasury: Sanctions Against Crypto Exchange and Individuals, Updated FinCEN Advisory
The Department of the Treasury's Office of Foreign Asset Control (OFAC) announced sanctions against cryptocurrency exchange Chatex for facilitating payments for ransomware groups. According to OFAC's analysis, over half of Chatex's known transactions could be directly traced to illicit or high-risk activities such as ransomware and transactions on the dark web.
OFAC also levied sanctions against three entities—Izibits OU, Chatextech SIA, and Hightrade Finance Ltd—for "providing material support" to Chatex by setting up the cryptocurrency exchange's infrastructure, and against Vasinskyi and Polyanin (the defendants in the aforementioned Department of Justice indictments) for their involvement with REvil. Latvian and Estonian authorities also suspended the operations of Chatextech and Izibits, respectively.
This is the second time OFAC has sanctioned a cryptocurrency exchange for such activities. In September 2021, OFAC sanctioned SUEX OTC, S.R.O. (Suex) on the same grounds, as DWT discussed in a prior blog post. According to OFAC, Chatex "has direct ties with [Suex], using Suex's function as a nested exchange to conduct transactions."
The Department of the Treasury's Financial Crimes Enforcement Network (FinCEN) also announced on November 8, 2021 an update of its Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments. The updated Advisory largely follows the original version published in October 2020 but makes several notable changes, including:
- More emphasis on the role of cyber insurance companies (CIC) and digital forensic and incident response (DFIR) firms in directly or indirectly facilitating ransom payments. The emphasis is consistent with OFAC's September 2021 updates to its own ransomware advisory, which DWT discussed previously. CICs and DFIR firms should read this updated language carefully and evaluate their legal risks when working with a company that is considering payment of a ransom.
- A direct warning to companies, including certain DFIR firms, that act as "money service businesses" (MSBs). FinCEN takes the position that companies that pay ransoms on behalf on ransomware victims, such as by purchasing and transferring cryptocurrency, are MSBs under the Bank Secrecy Act. MSBs must register with FinCEN and must comply with various Bank Secrecy Act rules, including filing Suspicious Activity Reports (SARs).
The updated advisory states: "FinCEN will not hesitate to take action against entities and individuals engaged in money transmission or other MSB activities if they fail to register with FinCEN or comply with their other [anti-money laundering] obligations."
- Further discussion of various ransomware and cyber extortion trends, including "double extortion"—a tactic whereby the attackers steal data from a victim's network before encrypting files and threaten to release that information publicly if a ransom is not paid. In this way, ransomware attackers exert two types of leverage over victims—one by holding their files for ransom and the other by threatening to release stolen data.
REvil was one of the first ransomware groups to widely employ double extortion, and notoriously released victims' data on a website it called the "Happy Blog." Other trends referenced in the updated advisory include:
- Attackers using their access to an initial victim's network to identify and target related victim companies, such as business partners and customers.
- Increased use of anonymity enhancing cryptocurrencies (AECs) such as Monero, rather than Bitcoin. Certain features of AECs, such as stealth addresses, make it very difficult to identify the payment sender or recipient. Some attackers have offered discounted ransom payments if the victim pays in Monero or another AEC.
- The use of unregistered "mixing services" that help obfuscate the identity of the payment recipient by comingling payments with other funds, breaking payments into small amounts, and passing the payments through multiple intermediaries.
- Cashing out cryptocurrency through exchanges based in countries with little regulatory oversight.
- Ransomware-as-a-service (RaaS) arrangements, whereby ransomware developers effectively license their software to affiliated groups that actually perpetrate the ransomware attack. REvil is one of the best-known users of the RaaS model.
- "Big game hunting," whereby attackers focus on large organizations that have both critical operations and weak security controls, and therefore are more likely to pay a significant ransom.
- Various edits and additions to FinCEN's "red flags" guidance for financial institutions to identify potential ransomware payments. The guidance specifically calls out transactions between entities that are at high risk for ransomware (for example, those in the government, financial, educational, and healthcare sectors) and a DFIR firm or CIC, especially one known to facilitate ransom payments. Based on its assessment of the fed flags and other factors, a financial institution may be required to file an SAR with FinCEN.
The updated advisory states that financial institutions, including cryptocurrency exchanges, must "identify and immediately report any suspicious transactions associated with ransomware attacks."
These actions by the Department of Treasury closely follow the publication of OFAC's Sanctions Compliance Guidance for the Virtual Currency Industry and FinCEN's Ransomware Trends in Bank Secrecy Act Data report, both on October 15, 2021.
Department of State: Millions of Dollars in Rewards Offered for Information on Ransomware Groups
The State Department added to the November 8, 2021 whirlwind by announcing a reward of up to $10 million "for information leading to the identification or location of any individual holding a key leadership position" in the REvil group, and of up to $5 million for information leading to the arrest or conviction of any REvil conspirator.
These rewards are offered as part of the State Department's Transnational Organized Crime Rewards Program (TOCRP). On November 4, 2021, the State Department announced similar awards related to DarkSide, the ransomware group responsible for the attack on Colonial Pipeline in May 2021.
November 8's "whole of government" actions hopefully will deal a significant blow to REvil and other ransomware groups. The ultimate effects, though, remain to be seen. DWT will continue to monitor the government's enforcement and regulatory campaign against ransomware.