US charges Ukrainian and Russian nationals over ransomware attacks
US authorities have brought criminal charges against a Ukrainian and a Russian national for their roles in high-profile ransomware attacks, as part of a sprawling global crackdown on digital extortion groups.
The US justice department on Monday said it had charged Ukrainian Yaroslav Vasinskyi, 22, for allegedly conducting one of the largest global supply chain ransomware attacks, the Kaseya hack, among others. The US said it is seeking to extradite Vasinskyi, who was arrested in Poland after crossing the border from Ukraine, Merrick Garland, attorney-general, said.
The sprawling hack in July hit information technology management software supplier Kaseya and an estimated 1,500 of its clients and clients’ clients. The attack forced Swedish supermarket chain Coop to close nearly all of its 800 stores.
The US has also charged Russian national Yevgeniy Polyanin, 28, for allegedly targeting US government entities and private-sector companies in about 3,000 attacks that reaped an estimated $13m, Garland said. The US has seized $6.1m in ransom proceeds from his activities, he added, and he is believed to be abroad.
US authorities said both individuals were part of Sodinokibi/REvil, a prolific Russia-linked ransomware gang which has also been blamed for a crippling attack on meat supplier JBS. The US Treasury department said the gang had received more than $200m in ransom payments in cryptocurrency from its victims.
The moves — which also involved authorities in Poland, Romania, Ukraine, France, Estonia, Latvia and Germany — mark the most significant and co-ordinated effort yet by the US to curb the recent spate of ransomware attacks, in which hackers seize a company’s data and demand a ransom.
Separately on Monday, Europol announced that law enforcement in Romania had arrested two ransomware hackers associated with the Sodinokibi/REvil ransomware cartel.
Many western security experts have said president Joe Biden’s administration should be tougher on Moscow in particular, given that the majority of ransomware criminals are understood to be based in Russia or Russian-speaking countries, where they operate with impunity.
Biden warned Russian president Vladimir Putin in a June summit that 16 areas of critical infrastructure, spanning energy, heath and water, should be “off-limits to attack” by cyber or other means, and urged responsible countries to take action against criminals who conduct ransomware activities on their territory. However, attacks by such groups appear to have continued unabated.
Asked whether Russia had either condoned or was aware of the illicit activity, Garland said: “We expect and hope that any government in which one of these ransomware actors is residing will do everything it can to provide that person to us for prosecution.”
The US state department said it was offering a reward of up to $10m for any information leading to the identification or location for anyone in a leadership position in the Sodinokibi/REvil group, and a further $5m for any information leading to the arrest or conviction of any individual involved in a Sodinokibi/REvil ransomware incident.
US authorities are also increasing scrutiny of the ballooning crypto industry over concerns that anonymous digital assets can be used for money laundering.
The Treasury department on Monday imposed sanctions on Chatex, a virtual currency exchange that it said had “facilitated transactions for multiple ransomware variants”, along with three groups that it said had provided “material support and assistance to Chatex”.
According to the Treasury, more than half of Chatex’s transactions were directly linked to “illicit or high-risk activities” such as making payments on underground markets on the dark web, and allowing ransomware groups to launder their extortion payments. It also said that Chatex used services provided by Suez, a virtual currency exchange that was also sanctioned by the US in September for similar allegations.
Additional reporting by Katrina Manson in Washington