Law enforcement agencies announce the arrest of ransomware suspects and asset forfeiture action
On November 8, 2021, the U.S. Department of Justice published unsealed indictments against Yaroslav Vasinskyi (Vasinskyi), a Ukrainian national, and Yevgeniy Polyanin (Polyanin), a Russian national, for their alleged role in deploying the Sodinokibi/REvil ransomware to initiate cyber attacks, including one involving Kaseya VSA software in July 2021. Ukrainian Arrested and Charged with Ransomware Attack on Kaseya, available here. The Department also announced the seizure of $6.1 million in funds from an account on FTX Trading Limited, a cryptocurrency exchange incorporated in Antigua and Barbuda, in the name of Evegnii Igorevich Polianin and Evgeniy Igorevich Polyanin. Warrant to Seize Property Subject to Forfeiture (Case No. 3:21-MJ-888BT), available here; see also Jurisdiction, regulations, licensing, and practices, available here. It alleges that these funds are traceable to ransom payments received by the Sodinokibi/REvil ransomware gang.
On October 8, 2021, Vasinskyi was arrested by Polish authorities at a border crossing in Dorohusk, Poland. US seeks extradition of alleged Ukrainian scammer arrested at Polish border stop, available here. Currently, he is still under Polish custody, likely pending extradition to the United States. At the time of publication, Polyanin is believed to be outside the United States and at large.
Both Vasinskyi and Polyanin are charged with (1) conspiracy to commit fraud and related activity in connection with computers, (2) intentional damage to a protected computer, and (3) conspiracy to commit money laundering. Polyanin Indictment, available here; Vasinskyi Indictment, available here.
In addition, Romanian authorities arrested two unnamed suspects for allegedly having ties to Vasinskyi and Polyanin for deploying the Sodinokibi/REvil ransomware across businesses and government IT systems between 2019 and 2021. Five Affiliates To Sodinokibi/Revil Unplugged, available here. Currently, the two unnamed suspects under Romanian custody have not yet been charged by the Department of Justice.
These arrests and the asset forfeiture came as a result of international law enforcement cooperation among 17 countries, Europol, Eurojust, and INTERPOL. Five Affiliates To Sodinokibi/Revil Unplugged, supra.
Analysis
Ransomware is a malicious program that surreptitiously encrypts data on a computer system. Ransomware 101 (CISA), available here. After the encryption operation is complete, the threat actor extorts the system owner to pay a ransom via cryptocurrency to decrypt encrypted files. Because cryptocurrency transactions are typically irreversible, ransomware threat actors are guaranteed to receive the ransom payment. On the other hand, victims are not always guaranteed to receive the decryption tools even after sending the ransom payment.
U.S. agencies discourage paying ransom to threat actors. Ransomware (FBI), available here; CISA And FBI Urge Organizations To Remain Vigilant To Ransomware Threats On Holidays, Including This Labor Day (CISA), available here. In fact, certain U.S. agencies have warned of potential criminal and civil liabilities for ransom payments. For example, on September 21, 2021, the Office of Foreign Assets Control of the U.S. Department of Commerce published an updated advisory on potential sanction risks for facilitating ransom payments to sanctioned individuals. Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments, available here. Because threat actors use modern encryption methods to encrypt the victim’s files, only the threat actors have the necessary means (e.g., encryption key) to unlock the files initially. With government agencies discouraging ransomware payments, victims may feel stuck in not being able to resolve the situation. Ignoring these government advisories, some well-known ransomware victims have paid the ransom to restore system access. E.g., Colonial Pipeline CEO Tells Why He Paid Hackers a $4.4 Million Ransom, available here.
Inter-governmental action against the Sodinokibi/REvil ransomware gang demonstrates law enforcement’s ability and willingness to commit swift action against cyber crime actors, even if sophisticated technologies, such as modern-day encryption and cryptocurrency, are used to facilitate the crime. U.S. Attorney General Merrick Garland noted that “[t]he United States, together with our allies, will do everything in our power to identify the perpetrators of ransomware attacks, to bring them to justice and to recover the funds they have stolen from the American people.” Attorney General Merrick B. Garland, Deputy Attorney General Lisa O. Monaco and FBI Director Christopher Wray Deliver Remarks on Sodinokibi/REvil Ransomware Arrest, available here. FBI Director Christopher Wray specifically remarked that the FBI’s investigation into the Kaseya attack yielded “a usable decryption key that allowed [the agency] to generate a capability to unlock Kaseya customers’ data.”
In early July 2021, when the Sodinokibi/REvil ransomware gang attacked Kaseya’s systems, Huntress Labs, a third-party cybersecurity firm, reached out to Kaseya to alert the company to the ongoing cyber incident. See Cybersecurity and Information Security Newsletter – Issue 9, available here. Kaseya swiftly took action to contain the damage and notify law enforcement agencies, including the FBI. By notifying the FBI of the cyber incident early, Kaseya benefited from a coordinated response by both law enforcement and intelligence agencies to hold threat actors accountable for their actions. Without paying the ransom, Kaseya was able to acquire the decryption tool needed to unlock customers’ files.
Based on the unsealed indictments, federal law enforcement moved swiftly to identify the Sodinokibi/REvil ransomware members and obtain grand jury indictments only nearly a month after the Kaseya ransomware incident was discovered. The swift pace of law enforcement action highlights the effectiveness of the newly established Ransomware and Digital Extortion Task Force at the U.S. Department of Justice. See Guidance Regarding Investigations and Cases Related to Ransomware and Digital Extortion, available here.
Although other ransomware gangs may adjust their tactics to extort victims more successfully (e.g., threatening to leak sensitive stolen data unless a ransom is paid), or hide collected ransom payments more effectively (e.g., exclusively utilizing cryptocurrencies with enhanced privacy features), ransomware victims should be proactive by promptly contacting federal authorities to engage their assistance and resources. Furthermore, businesses and individuals should always utilize best practices in regularly backing up data. The 3-2-1 Backup Strategy, available here. Finally, ransomware victims should be wary about paying ransom to threat actors. Even if threat actors help decrypt encrypted files, ransom-paying victims may face legal liability stemming from the ransom payment. For example, if the ransomware threat actors happen to be members of a U.S. sanctioned organization, paying the ransom will violate federal sanctions regulations. See, e.g., Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments, supra.
|