Justice Dept. Brings New Charges in Ransomware Attacks

The department said it had charged a Russian national in one attack and recovered $6.1 million in ransom. It also arrested a Ukrainian man for another attack.


Continue reading the main story

Supported by

Continue reading the main story




Justice Dept. Announces Charges and Arrest in Ransomware Attacks

The Justice Department announced charges against a Russian national accused of conducting ransomware attacks against American government entities and businesses, as well as the arrest of a Ukrainian national in a separate attack.

On July 2, the multinational information software company Kaseya and its customers were attacked by one of the most prolific strains of ransomware known as REvil, or Sodinokibi. On Aug. 11, the Justice Department indicted Yaroslav Vasinskyi, also known by the online moniker Robotnik. The indictment, which was previously under seal, charges him with conspiring to commit intentional damage to protected computers and to extort in relation to that damage, causing intentional damage to protected computers and conspiring to commit money laundering. Two months after the indictment on Oct. 8, Vasinskyi crossed the border from Ukraine into Poland. There upon our request, Polish authorities arrested him pursuant to provisional arrest warrant. We have now requested that he be extradited from Poland to the United States. In addition to securing the arrest of Vasinskyi, the Justice Department has seized $6.1 million tied to the ransom proceeds of another alleged REvil ransomware attacker, Russian national Yevgeniy Polyanin As set forth in the public filings related to the seizure, Polyanin, whom we also charged by indictment, is alleged to have conducted approximately 3,000 random ransomware attacks. Polyanin’s ransomware attacks affected numerous companies and entities across the United States, including law enforcement agencies and municipalities throughout the state of Texas. Polyanin ultimately extorted approximately $13 million from his victims. The U.S. government will continue to aggressively pursue the entire ransomware ecosystem and increase our nation’s resilience to cyberthreats.

The Justice Department announced charges against a Russian national accused of conducting ransomware attacks against American government entities and businesses, as well as the arrest of a Ukrainian national in a separate attack.CreditCredit…Andrew Harnik/Associated Press

Nov. 8, 2021, 5:38 p.m. ET

The Justice Department said on Monday that it had brought charges against a Russian national whom it accused of conducting ransomware attacks against American government entities and businesses, including one that temporarily shut down the meat supply giant JBS.

In the Biden administration’s latest crackdown on cybercrime, the Justice Department also announced that it had seized $6.1 million in ransom paid to the Russian man, Yevgeniy Polyanin, 28, who was accused in court documents of deploying ransomware known as REvil against businesses and government offices in Texas in 2019.

Mr. Polyanin, who is believed to be abroad, has not been taken into custody by American authorities and the prospects of him facing trial in the United States remain unclear.

The department also unsealed a separate indictment on Monday accusing a Ukrainian national, Yaroslav Vasinskyi, 22, with conducting multiple ransomware attacks, including the July 2021 assault on the technology company Kaseya. The attack on Kaseya, which manages internet technology infrastructure for other companies, allowed hackers to infect the systems of Kaseya’s hundreds of customers, including Swedish pharmacies and grocery chains.

Mr. Vasinskyi was arrested last month by authorities in Poland as he crossed into that country, and the Justice Department is seeking his extradition to stand trial in the U.S.

“The United States, together with our allies, will do everything in our power to identify the perpetrators of ransomware attacks, to bring them to justice, and to recover the funds they have stolen from their victims,” Attorney General Merrick B. Garland said in a statement.

The arrests are part of a sustained, coordinated, global effort to combat ransomware. That effort has intensified in recent weeks as authorities in Ukraine, Romania, Kuwait and South Korea started arresting cybercriminals who use what is known as “ransomware as a service.”

“We are bringing the full strength of the federal government to disrupt malicious cyberactivity and actors, bolster resilience at home, address the abuse of virtual currency to launder ransom payments, and leverage international cooperation to disrupt the ransomware ecosystem and address safe harbors for ransomware criminals,” President Biden said in a statement on Monday.

In a ransomware attack, hackers break into a company’s or agency’s computer network, encrypt the data, and then demand a ransom to decrypt it.

In recent years, ransomware groups have used a double-extortion scheme where they not only hold data hostage, but threaten to leak it online. Some groups have started offering the use of their ransomware code, portals, payment platforms and messaging infrastructure to others to conduct attacks, as in the Texas case using REvil, provided by a hacker group of the same name.

Last month, the Biden administration hosted a two-day conference with 30 other countries to create a coalition dedicated to disrupting the global ransomware ecosystem.

Cybersecurity experts say most ransomware developers are based in Russia, where they enjoy broad immunity because Russia does not arrest or extradite them. (Russia was notably not invited to the Biden administration’s summit.) This has limited options for law enforcement in the United States, Europe and other countries.

But in the past few months, American officials have changed tack. Last week, the State Department announced a $10 million reward for anyone who could help provide information about the leaders of DarkSide, a ransomware group alternately known as BlackMatter, which was behind the hack of Colonial Pipeline last May.

Mr. Biden said on Monday that when he met with Russian President Vladimir V. Putin in June, he made clear that the U.S. “would take action to hold cybercriminals accountable.”

American officials have also started clawing back ransom payments from cybercriminals, as they did in the case of DarkSide last June and with Mr. Polyanin, as announced on Monday.

“The message is: ‘You might think we can’t arrest you because you’re living in Russia, but there are a lot of other ways we can get to you,'” said Allan Liska, an intelligence analyst at Recorded Future, a cybersecurity firm. “This kind of sustained, cooperative law enforcement operation is making it far more expensive to conduct ransomware attacks and it’s starting to scare them.”

Over the past few weeks, members of REvil and DarkSide have both gone dark, signing off from cybercriminal forums on the Dark Web. “They’re signing off and staying off,” said Mr. Liska. “We’re used to seeing these groups pop back up in different forms, but I’m not so sure we’re going to see REvil and DarkSide again.”

When asked at a news conference whether the Russian government condoned the effort to rein in ransomware criminals, or was cooperating in efforts to detain Mr. Polyanin, Mr. Garland said that he could not comment because the investigation was ongoing.

“We expect and hope that any government in which one of these actors is residing will do everything it can to provide that person to us for prosecution,” he said.

Last week, the Justice Department located a Russian cybercriminal who was hiding out South Korea, and the department worked with other governments to get the accused man into a U.S. courtroom, Deputy Attorney General Lisa O. Monaco said at the news conference announcing the indictments.

The enforcement actions undertaken last week and on Monday show that “we’ll use all tools and partners to hold accountable bad actors,” Ms. Monaco said.

The Justice Department said that it would continue to escalate its fight against cybercrime, which it sees as a serious economic and national security threat. In an interview last week with the Associated Press, Ms. Monaco said that more arrests and seizures of ransom payments were imminent.

But even as cybersecurity experts applauded the latest moves against REvil and its affiliates on Monday, other ransomware gangs continued to attack American cities, counties and even police departments.

Just after the Justice Department announced its latest charges on Monday, a ransomware gang called Pysa — the subject of an F.B.I. warning last year — started leaking data from more than 50 new victims. Among them were the town of Bridgeport, W. Va., and a school in Omaha. Another ransomware group, called Grief, hit a police department in Fulton, N.Y.

The latest targets did not immediately respond to requests for comment.

Leave a Reply