The US Department of Justice has charged a Ukrainian national for his alleged role in a July 2 cyberattack on Kaseya that resulted in the REvil ransomware sample being deployed on some 1,500 of the company's downstream customers.
Yaroslav Vasinskyi, 22, was arrested in Poland on Oct. 8 on a US arrest warrant. He is currently awaiting extradition to the US, where he faces additional charges related to ransomware attacks against numerous other companies. If convicted on all charges, Vasinskyi faces a maximum sentence of 115 years in prison.
In unsealing the indictment against Vasinskyi on Monday, the DoJ said it had also seized $6.1 million in ransom payments that allegedly were received by another REvil operator — Russian national Yevgeniy Polyanin, 28. The DoJ has charged Polyanin with carrying out ransomware attacks against businesses and government entities in Texas back in August 2019. Polyanin, who is currently still at large abroad, faces a maximum sentence of 145 years if convicted on all charges.
Vasinskyi is one of five individuals who have been arrested worldwide since February 2021 for allegedly deploying REvil (aka Sodinokibi) on systems belonging to organizations in multiple countries, including the US, Germany, and France. Two were arrested Nov. 4 in Romania, two were arrested in South Korea, and Vasinskyi was arrested in October in Poland. It's not clear when the two REvil-related arrests in South Korea happened. These five are believed to have been responsible for deploying REvil on systems belonging to some 5,000 organizations.
In addition to the arrests related to REvil, international law enforcement authorities have arrested two other individuals for deploying Gandcrab, the predecessor to REvil.
Together, the seven suspects are believed responsible for ransomware attacks on some 7,000 victims worldwide that resulted in a ransom demands totaling over $231 million.
The arrests are the result of a 17-country, Romania-led operation dubbed GoldDust that was originally put into motion back in 2018 to take out the operators of Gandcrab — one of the most prolific ransomware samples to date, with more than a million victims. In May 2021, law enforcement teams from France, Germany, Romania, and Europol expanded GoldDust with a joint investigation team focused on tracking down the operators of REvil.
The arrests and indictments mark a major — though most likely fleeting — win for law enforcement authorities against a major ransomware operator. The believed-to-be-Russia-based operators have made the malware available to other threat actors as part of a ransomware-as-a-service model. Under the model, attackers — or affiliates — that use the malware pay a cut of any ransoms they collect to the original authors.
REvil has been used in attacks that have cost US organizations tens of millions of dollars over the past year. The attack on Kaseya alone involved a ransom demand of some $70 million. Another attack, against meat supplier JBS, fetched the attackers a whopping $11 million earlier this year.
Hank Schless, senior manager, security solutions at Lookout, says the arrests show that law enforcement is getting better about catching cybercriminals. But whether these arrests have any deterring factors remains to be seen. "It will depend on the severity of the sentencing and subsequent prison sentences," Schless says. Criminals convicted of financially motivated cybercrime like ransomware appear to be garnering anything from a five- to 20-year sentence, he notes. "The broader reach of the Kaseya ransomware attack could bring a much heavier sentence for those involved," he predicts.
Rick Holland, chief information security officer and vice president of strategy at Digital Shadows, says the arrests are a good thing. However, cybercrime always finds a way, he notes. Other criminal actors will be waiting in the wings to fill the void created by the REvil arrests, Holland notes. The law enforcement action will likely also push threat actors into improving their operational security and tradecraft.
Ultimately though, arrests and sanctions alone aren't enough to combat ransomware. "We are addressing symptoms and not the root causes," Holland says. "Beyond deterrents and disruption, we must also build resiliency into the companies targeted by criminals — and state actors," he says. "The goal should be to make it harder for criminals to compromise a victim."