The U.S. government announced a pair of legal busts targeting members of the REvil ransomware crew, including an accused operator behind the Kaseya attack.
Department of Justice officials, led by Attorney General Merrick Garland, announced the actions against REvil in a press conference Monday. Garland said the DOJ is awaiting the extradition of 22-year-old Yaroslav Vasinskyi from Poland to face hacking and money laundering charges.
A Ukrainian national, Vasinskyi is accused of being among the masterminds of the summer's breach at IT services provider Kaseya. The hack resulted in Kaseya's IT services platform being seeded with bad updates that allowed the hackers to access thousands of companies that used the Kaseya platform and lock their systems with the REvil ransomware.
According to the indictment filed with the North Texas U.S. District Court, Vasinskyi was part of the group that not only authored the REvil ransomware and used it in the Kaseya attack, but also sought out affiliate hackers to help spread the ransomware to other victim companies.
He faces felony charges of computer fraud, conspiracy to commit computer fraud and conspiracy to commit money laundering. Court dates are yet to be set as Vasinskyi's extradition is still pending.
Garland touted the cooperation of police in Poland, where Vasinskyi was nabbed while traveling in August.
"As a result of the Kaseya attack, businesses that relied on Kaseya in the US and around the world were impacted," he said during the press conference. "Vasinskyi's arrest demonstrates how quickly we will act alongside our international partners."
The DOJ's second announcement was the seizure of funds believed to have belonged to a second REvil operator, 28-year-old Russian national Yevgeniy Polyanin, who was also indicted on charges of hacking and money laundering.
Officials say that they have managed to take over accounts holding $6.1 million worth of cryptocurrency previously owned by Polyanin, who has also been indicted on the same counts as Vasinskyi but has yet to be arrested.
In Polyanin's case, the alleged hacking and money laundering occurred in 2019, when he and others used REvil ransomware to infiltrate and extort a number of companies in the Northern Texas jurisdiction.
While Polyanin has yet to be brought in by police and extradition from Russia is unlikely, the DOJ said it believes that seizing millions of dollars of the alleged hacker's criminal proceeds will still send a powerful message to the REvil crew and other high-profile ransomware operators.
In his statement on the indictments, President Joe Biden indicated that the U.S. would continue to pursue ransomware operators with or without the Kremlin's assistance.
"When I met with President Putin in June, I made clear that the United States would take action to hold cybercriminals accountable. That's what we have done today," Biden said.
"We are bringing the full strength of the federal government to disrupt malicious cyber activity and actors, bolster resilience at home, address the abuse of virtual currency to launder ransom payments, and leverage international cooperation to disrupt the ransomware ecosystem and address safe harbors for ransomware criminals."
As for businesses and government agencies that face ransomware attacks going forward, officials had a clear message: The best course of action is to work with law enforcement early and often following an attack. In particular, they noted that Kaseya's early work with the FBI helped them to track down the REvil operators.
"In their darkest hour, Kaseya made the right choice and they decided to work with the FBI," said Deputy Attorney General Lisa Monaco during the press conference. "Kaseya gave them the info they needed to act, and to act fast."
The indictments were unveiled on the heels of a separate set of REvil busts announced on Monday by officials with Europol. The agency said that officers in Romania took custody of a pair of suspected REvil operators who together were behind as many as 5,000 ransomware infections.