A hacker linked to a Russian ransomware gang that brazenly attacked more than 1,000 U.S. companies in July has been charged for his cybercrime campaigns, according to court documents unsealed Monday.
The hacker, Yaroslav Vasinskyi, a Ukrainian national, wrote the software behind the Russian-linked REvil gang’s ransomware attack against the software company Kaseya. That attack ended up infecting thousands of companies and kept them with limited operations for weeks, according to a grand jury indictment.
To date, REvil ransomware has been used in attacks against 175,000 computers around the world with at least $200 million paid, U.S. Attorney General Merrick Garland said Monday.
The attack was particularly troublesome for the FBI, which withheld the decryption key that would help victims bounce back from the attack so that the U.S. government could go after the ransomware gang behind the attack.
The REvil hacking gang has also been popping other companies in recent months, including an attack against meat processor JBS this summer that ground operations to a halt.
In all, Vasinskyi, who used different names online to avoid detection, is accused of going after 10 companies, according to court records. Only Kaseya is identified by name in court documents. Vasinskyi was arrested last month in Poland at a border crossing in connection with his hacking—Polish authorities arrested him at the request of the U.S. government, Garland said.
U.S. officials have also seized $6.1 million in connection with hacking campaigns linked to another cybercriminal, Russian national Yevgeniy Polyanin. Polyanin is accused of conducting 3,000 ransomware attacks in all, U.S. officials said Monday.
The Biden administration has been working to go after ransomware gangs ever since Russian hacking gangs upped the ante in recent months. Russian ransomware gangs have hit critical infrastructure in the United States, including one gang’s attack against Colonial Pipeline, which caused Americans to line up around the block for gas on the East Coast as the pipeline operator worked to respond.
President Joe Biden has spoken with Russian President Vladimir Putin about not giving hacking groups safe harbor in Russia and tamping down on their schemes. And the U.S. has handed over specific names of criminals to Russia in the hopes they will help go after them. But efforts to get Russia to participate in crackdowns have largely been unsuccessful.
Gen. Paul Nakasone, the National Security Agency Director, said last week that engagement with Russia continues but that it is too soon to tell if they have acted on the information about specific criminals.
The Department of Defense’s offensive hacking arm, Cyber Command, also hijacked the REvil hacking gang’s website it used to extort victims, which some U.S. officials say has had the hacking gang running scared in recent weeks, according to The Washington Post.
Ransomware gangs have been working to regroup in recent months too, calling it quits and resurfacing under new names to avoid suspicion, as law enforcement attention on ransomware gangs has spiked. In some cases, hacking gangs have started using different code words to avoid getting outed for ransomware plots on hacking forums, as The Daily Beast has reported.
But today’s news is a move in the right direction, said Brett Callow, a security analyst at Emsisoft, a security firm that was involved in helping victims recover from the Kaseya ransomware attack.
“The pace of disruption and arrests seems to be accelerating, which is a necessary step in the fight against ransomware,” Callow told The Daily Beast. “Bounties, arrests, offensive operations, cryptocurrency seizures, and other disruption actions all act as a deterrent to ransomware actors—and we seem to be seeing these things more and more often. We’re not out of the woods yet as far as ransomware goes, but it seems we may finally be heading in the right direction.”
The news comes as Russian-linked ransomware hackers have been facing manhunts around the world. Just last week law enforcement authorities in Europe rounded up and arrested two hackers that have been deploying REvil ransomware and who have taken half a million euros in ransom payments along the way, Europol announced Monday.
The arrests are part of a more sweeping operation, known internally as “GoldDust,” to go after ransomware gangs that involve 17 nations and law enforcement investigations.