Nov 8, 2021
0 0

US seizes $6 million from REvil ransomware, arrest Kaseya hacker

Written by

State hackers breach defense, energy, healthcare orgs worldwide
MediaMarkt hit by Hive ransomware, initial $240 million ransom
REvil ransomware affiliates arrested in Romania and Kuwait
Pwn2Own: Printer plays AC/DC, Samsung Galaxy S21 hacked twice
U.S. offers $10 million reward for leaders of REvil ransomware
Robinhood discloses data breach impacting 7 million customers
Softbank plans to charge electronic gadgets using 5G antennas
US sanctions Chatex cryptoexchange used by ransomware gangs
Qualys BrowserCheck
Junkware Removal Tool
How to remove the PBlock+ adware browser extension
Remove the Search Redirect
Remove the Search Redirect
Remove the Search Redirect
Remove Security Tool and SecurityTool (Uninstall Guide)
How to remove Antivirus 2009 (Uninstall Instructions)
How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller
Locky Ransomware Information, Help Guide, and FAQ
CryptoLocker Ransomware Information Guide and FAQ
CryptorBit and HowDecrypt Information Guide and FAQ
CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
How to make the Start menu full screen in Windows 10
How to install the Microsoft Visual C++ 2015 Runtime
How to open an elevated PowerShell Admin prompt in Windows 10
How to Translate a Web Page in Google Chrome
How to start Windows in Safe Mode
How to remove a Trojan, Virus, Worm, or other Malware
How to show hidden files in Windows 7
How to see hidden files in Windows
IT Certification Courses
Gear + Gadgets
US seizes $6 million from REvil ransomware, arrest Kaseya hacker
The United States Department of Justice today has announced charges against a REvil ransomware affiliate responsible for the attack against the Kaseya MSP platform on July 2nd and seizing more than $6 million from another REvil partner.
The suspect is 22-year old Ukrainian national Yaroslav Vasinskyi, arrested for cybercriminal activity on October 8 at the behest of the U.S. when trying to enter Poland from his native country.
Vasinskyi is known by several aliases (Profcomserv, Rabotnik, Rabotnik_New, Yarik45, Yaraslav2468, and Affiliate 22). He is one of the seven REvil ransomware affiliates that have been apprehended so far, in ample international efforts to combat the ransomware threat.
While the news of Vasinskyi getting arrested did not go unnoticed, the exact reason was unclear until his indictment and arrest warrant were unsealed on November 5.
In a press conference today, the DoJ announced the charges against Vasinskyi, underlining his involvement in the Kaseya attack that impacted around 1,500 business worldwide.
REvil ransomware, also known as Sodinokibi, is the successor of GandCrab and had an initial test run in April 2019 in an attack that exploited a vulnerability in WebLogic Server.
According to the indictment, Vasinskyi is a long-time affiliate of the REvil ransomware operation, being part of it since at least March 1st, 2019, and deployed about 2,500 attacks against businesses worldwide.
The investigation revealed that Vasinskyi’s ransom demands amounted to $767 million but victims paid only $2.3 million. The operator is believed to have deployed ransomware on the networks of at least nine companies in the U.S.
In contrast, the entire REvil ransomware operation received more than $200 million since it started activity and encrypted at least 175,000 computers.
Of all the companies attacked, the one on Kaseya managed service provider (MSP) was the biggest, the ransom demand being $70 million to decrypt all the systems.
This incident acted as a catalyst for the U.S. to start an ample operation against the ransomware threat in cooperation with law enforcement across the world.
The U.S. is now requesting Vasinskyi’s extradition and has unsealed the charges against him.
The DoJ also announced that law enforcement seized $6.1 million from another REvil ransomware affiliate, Russian national Yevgeniy Polyanin, who is currently at large.
Previously, the U.S. has recovered $4.4 million of the ransomware payment that Colonial Pipeline paid to the DarkSide ransomware gang following an attack that lead to temporary gas shortages.
Polyanin (a.k.a. LK4D4, Damnating, damn2Life, Noolleds, Antunpitre, Affiliate 23) is believed to have perpetrated about 3,000 ransomware attacks against various organizations, including multiple U.S. government entities and private-sector companies, extorting around $13 million from victims.
According to the indictment, Polyanin accessed and encrypted the networks of 13 government entities in Texas around August 16, 2019.
If the date sounds familiar it’s because that’s when 22 local governments had their systems locked in a REvil ransomware attack that leveraged flaws in software from a MSP.
While the hackers asked for a collective ransom of $2.5 million, one of the largest at the time, they got nothing as a coordinated state and federal response recovered the systems.
As part of the strategy to counter the ransomware threat, the U.S. Department of Treasury today announced sanctions against both Polyanin and Vasinskyi, blocking all property and interests in their property falling under the U.S. jurisdiction.
“Additionally, any entities 50 percent or more owned by one or more designated persons are also blocked. In addition, financial institutions and other persons that engage in certain transactions or activities with the sanctioned entities and individuals may expose themselves to sanctions or be subject to an enforcement action” – U.S. Treasury
The charges against Polyanin are the same as for Vasinskyi:
In about five months, the DoJ’s efforts have resulted in arresting seven affiliates of the REvil ransomware operation.
On November 4, authorities in Romania arrested two alleged REvil ransomware partners. A GandCrab affiliate was arrested on the same day in Kuwait. Other three individuals were apprehended in February, April, and October.
“The arrest of Yaroslav Vasinskyi, the charges against Yevgeniy Polyanin and seizure of $6.1 million of his assets, and the arrests of two other Sodinokibi/REvil actors in Romania are the culmination of close collaboration with our international, U.S. government and especially our private sector partners,” – FBI Director Christopher Wray
Apprehending these REvil affiliates was possible through coordinated efforts from investigators and prosecutors from several jurisdictions:
– Romania’s National Police and the Directorate for Investigating Organised Crime and Terrorism
– Canada’s Royal Canadian Mounted Police
– France’s Court of Paris and BL2C (anti-cybercrime unit police)
– Dutch National Police
– Poland’s National Prosecutor’s Office, Border Guard, Internal Security Agency, and Ministry of Justice
– the governments of Norway and Australia
Update [November 8, 14:50 EST]: Added more information from Polyanin’s indictment and the DoJ press release.
US Congress asks FBI to explain delay in helping Kaseya attack victims
U.S. offers $10 million reward for leaders of REvil ransomware
REvil ransomware affiliates arrested in Romania and Kuwait
Operation Cyclone deals blow to Clop ransomware operation
The Week in Ransomware – November 5th 2021 – Placing bounties
Not a member yet? Register Now
Microsoft: New Windows driver deployment service coming soon
MediaMarkt hit by Hive ransomware, initial $240 million ransom
To receive periodic updates and news from BleepingComputer, please use the form below.
Terms of Use Privacy PolicyEthics Statement
Copyright @ 2003 – 2021 Bleeping Computer® LLC – All Rights Reserved
Not a member yet? Register Now
Read our posting guidelinese to learn what content is prohibited.


Article Categories:
Cybersecurity News

Comments are closed.