Authorities in U.S. and Europe Pursue Ransomware Hackers

On Monday, the Justice Department announced the arrests and charges of hackers allegedly linked to a significant ransomware organization, as well as the recovery of more than $6 million extorted by the REvil group.

Source: Washington Post | Published on November 9, 2021

Hacker using laptop. Hacking the Internet.

The Treasury Department imposed sanctions against the hackers, and the State Department added REvil to a bounty program giving monetary incentives for information leading to the identification or location of any of the company's top executives.

The moves, when taken together, represent the Biden administration's most comprehensive coordinated action to show its determination to combat ransomware attacks, which have reached such dangerous levels that the president has directly warned Russian President Vladimir Putin twice about the need to take action against criminals operating from Russian soil.

Ransomware is a type of virus that encrypts data on computers and locks them up, with hackers demanding excessive payments to unlock them. According to the White House, these payments totaled more than $400 million internationally last year. After assaults in the spring on a major American gasoline pipeline and the world's largest meat supply, ransomware has been raised to a national security concern.

The US actions were conducted as part of a broad criminal investigation with European authorities, who announced the arrests of two more alleged REvil hackers in Romania on Monday. The Biden administration has begun a "whole-of-government" approach to combat the problem, bringing together the resources of multiple agencies.

"Our message today is clear: The United States, together with our allies, will do everything in our power to identify the perpetrators of ransomware attacks, bring them to justice, and recover the funds they have stolen from the American people," Attorney General Merrick Garland said Monday at a news conference alongside the FBI and Treasury Department heads.

According to officials, a big step was the arrest last month in Poland of a Ukrainian national who reportedly carried out a crippling July 2 attack against a Florida-based software firm. On August 11, the suspect, Yaroslav Vasinskyi, was indicted under secret. When network management software updates were corrupted, he is accused of utilizing ransomware against the firm Kaseya, hurting scores of its clients. Kaseya claimed that between 800 and 1,500 enterprises, ranging from schools to grocery chains to hospitals, were ultimately impacted. Officials said a second hacker, Russian national Yevgeniy Polyanin, is still on the loose.

Vasinskyi and Polyanin are accused with conspiracy to commit fraud and associated activities involving computers, damage to protected computers, and money laundering in separate indictments. In the Northern District of Texas, the indictments were unsealed on Monday.

"Vasinskyi's arrest underscores how fast we will act with our overseas allies to identify, find, and apprehend alleged cybercriminals," Garland said.

Vasinskyi was apprehended by Polish officials on the Polish-Ukrainian border on Oct. 8, and the US is seeking his extradition, according to Garland.

Polyanin was also accused of extorting $6.1 million in ransomware payments, according to officials. According to the indictment, he was linked to 3,000 ransomware assaults that netted $13 million in ransom from institutions across the United States, including law enforcement agencies and municipalities across Texas.

"We announced the recovery of digital proceeds of ransomware launched by a global criminal organisation for the second time in five months," Garland added. "This isn't the last time," says the narrator.

The Justice Department said in June that it had recovered $2.3 million in ransoms paid to Darkside, a Russian-speaking ransomware gang. That organization was behind the attack on Colonial Pipeline in May, which forced the firm to briefly shut down its pipeline, sparking panic gasoline purchases across the East Coast.

Deputy Attorney General Lisa Monaco said the newest seizure was the result of "good old-fashioned detective work." "By following the money, we were able to recover the ransom."

REvil, also known as Sodinokibi, has killed thousands of people over the world, according to Monaco. In the spring, REvil hit JBS, the world's largest beef supplier. Some firm operations in Australia, Canada, and the United States were briefly halted as a result of the attack. According to the corporation, JBS paid a $11 million ransom to free its computers.

Following the Kaseya attack in July, Biden warned Putin that the US would take "whatever necessary steps" to protect critical infrastructure.

Officials underlined the need of victims reporting their attacks to the FBI as soon as possible in order to identify the perpetrators, recover funds, and counter the threat.

Kaseya was complimented by FBI Director Christopher Wray for its "quick response." He went on to say that the FBI then collaborated with other federal agencies as well as international law enforcement and intelligence services.

According to the Washington Post, the FBI gained early access to a decryption key that could assist victims open their computers by collaborating with overseas partners. It kept the key for more than two weeks, with the help of other agencies, in part because it was organizing an attack on REvil and didn't want to give the attackers any information.

"In the end, we were able to both decrypt encrypted material and shut down rogue actors," Wray said on Monday. "That can happen pretty fast in a lot of cases. It can take a little longer at times."

The State Department is offering a reward of up to $10 million for information leading to the arrest of REvil leaders and up to $5 million for information leading to the arrest of anybody involved in a REvil assault.

In a statement, Biden stated that he told Putin that "the US would take action to hold cybercriminals accountable." That is exactly what we did today.”

Polyanin is a "wonderful test case," according to Silverado Policy Accelerator founder Dmitri Alperovitch. “Will Moscow intervene in his case? If they don't, it's a warning that they won't be cooperating."