Yaroslav Vasinskyi, a Ukrainian national who was arrested in Poland last month, is accused of deploying ransomware known as REvil, which has been used in hacks that have cost US firms millions of dollars. Vasinskyi conducted a ransomware attack over the Fourth of July weekend on Florida-based software firm Kaseya that infected up to 1,500 businesses around the world, according to an indictment unsealed Monday.
Vasinskyi and another alleged REvil operative, Russian national Yevgeniy Polyanin, are charged with conspiracy to commit fraud and conspiracy to commit money laundering, among other charges. As part of the investigation, authorities seized at least $6 million in funds allegedly linked to ransom payments received by Polyanin, US officials said.
CNN was first to report on the law enforcement actions before the Justice Department announcement.
The law enforcement bust is one of the most impactful actions yet in the Biden administration’s multipronged fight against ransomware, which accelerated after a series of hacks hampered US critical infrastructure firms this year. While some ransomware groups have continued to breach US companies and demand payment, others have gone quiet in recent months.
Attorney General Merrick Garland said at a press conference that the US and its allies would do “everything in our power” to track down ransomware operatives and claw back the money “they have stolen from the American people.”
The Treasury Department on Monday also imposed sanctions on Vasinskyi and Polyanin, as well as cryptocurrency exchange that allegedly has moved money for ransomware operatives.
The State Department meanwhile announced a reward of up to $10 million for information leading to the identification or location of the leadership of the REvil ransomware gang. The department is also offering up to $5 million for information leading to an arrest or conviction of anyone conspiring or attempting to participate in REvil ransomware attacks.
Biden administration has made tackling ransomware groups a priority
Garland on Monday declined to comment when asked if the Russian government was aware of or condoned the REvil activity, citing an ongoing investigation.
In a crowded landscape of cyber crooks, REvil has stood out for a series of brazen attacks. The group reportedly demanded $50 million from Apple earlier this year after hacking one of the tech giant’s suppliers.
The FBI has also blamed REvil for a May ransomware attack on JBS USA, which accounts for about a fifth of US beef production. The incident forced JBS to temporarily shut down production at facilities in Australia, Canada and the US. JBS paid the hackers $11 million to unlock their systems.
REvil has been deployed on about 175,000 computers worldwide, with at least $200 million paid in ransom, Garland said Monday.
Polyanin allegedly conducted about 3,000 ransomware attacks, including some on law enforcement agencies and municipalities throughout Texas, Garland said.
To turn up the pressure, the State Department last week announced a $10 million reward for key information on the hackers behind the so-called DarkSide ransomware, which forced major US fuel provider Colonial Pipeline to shut down for days in May.
John Fokker, a former Dutch cybercrime prosecutor who is now with cybersecurity firm McAfee Enterprise, told CNN that his team had helped law enforcement identify multiple suspects involved in REvil and Gandcrab, another type of ransomware.
No single law enforcement action will be a fatal blow to the lucrative, transnational ransomware economy.
Victims of ransomware attacks paid about $350 million in ransoms in 2020, according to Chainalysis, a firm that tracks cryptocurrency. But that figure is likely just a fraction of the digital extortion that went on that year. And victims who don’t pay the ransom can spend millions of dollars rebuilding their computer infrastructure.
FBI Director Christopher Wray told US lawmakers in September that the bureau was investigating more than 100 different types of ransomware.
CNN’s Evan Perez contributed reporting.