Kaseya Hacker Charged & $6M Seized from REvil Ransomware Gang

Justice Department Charges Ukrainian Citizen in Kaseya Ransomware Attack

The U.S. Department of Justice (DOJ) has filed charges against a 22-year-old Ukrainian national allegedly connected to the REvil ransomware group. This individual is accused of being a key figure in the July ransomware attack targeting U.S. technology company Kaseya.

Furthermore, authorities have successfully seized over $6 million in ransom payments linked to another member of the notorious REvil organization.

Arrest and Accusations

U.S. Attorney General Merrick Garland revealed during a press conference on Monday that Yaroslav Vasinskyi was apprehended in Poland last month. The arrest was made at the request of the U.S. government, and he is currently awaiting extradition proceedings.

Vasinskyi, who operated under various aliases online to conceal his identity, is alleged to have been a persistent affiliate of the now-disbanded REvil ransomware operation. He is implicated in deploying approximately 2,500 attacks against businesses globally.

Vasinskyi is specifically accused of involvement in the Kaseya attack, which affected over 1,500 businesses in the U.S. and carried a ransom demand of $70 million. His total ransom demands are estimated to have reached $767 million.

Seized Funds and Additional Charges

U.S. officials have also confiscated $6.1 million related to hacking activities attributed to Yevgeniy Polyanin, a Russian national and another REvil affiliate. Polyanin is accused of executing 3,000 ransomware attacks and extorting approximately $13 million from victims.

Both Vasinskyi and Polyanin face charges of conspiracy to commit money laundering, conspiracy to commit fraud, and intentionally causing damage to a protected computer.

“The Justice Department will dedicate all necessary resources to identify and prosecute anyone who targets the United States with a ransomware attack,” stated Garland.

Broader Efforts Against Ransomware

The U.S. government’s actions extend beyond targeting hackers. The Treasury Department announced sanctions against the Chatex cryptocurrency exchange for its role in facilitating ransom transactions.

The State Department has also offered a reward of up to $10 million for information leading to the identification or location of key leaders within the Sodinokibi/REvil ransomware group.

A separate reward of up to $5 million is available for information resulting in the arrest or conviction of individuals involved in REvil-variant ransomware incidents.

Last week, a similar bounty was announced for information concerning the hackers behind the DarkSide ransomware, which disrupted operations at Colonial Pipeline in May. Previously, the U.S. recovered $2.3 million of the ransom payment made by Colonial Pipeline.

Recent Arrests and International Cooperation

Over the past five months, the DOJ’s initiatives have led to the arrest of seven REvil affiliates. Europol announced on Monday the arrest of two hackers in Romania who used REvil ransomware to infect and attempt to extort as many as 5,000 victims.

These individuals allegedly profited approximately €500,000 (roughly $578,000) from ransom payments and were arrested on November 4th.

Kuwaiti authorities also arrested a third REvil affiliate on the same day.

Additionally, two other individuals believed to be REvil affiliates were apprehended in South Korea in February and April, details of which were disclosed today for the first time.

Operation GoldDust and its Impact

These arrests are the result of Operation GoldDust, a collaborative effort involving law enforcement agencies from 17 countries, as well as Europol, Eurojust, and Interpol.

The operation also benefited from support from the cybersecurity sector, including contributions from Bitdefender, KPN, and McAfee.

Bitdefender researchers provided crucial technical insights and decryption tools throughout the investigation.

Europol reports that the REvil decryption tools have enabled over 1,400 companies to decrypt their networks following ransomware attacks, preventing the payment of over €475 million ($550 million) to cybercriminals. The entire REvil ransomware operation is estimated to have received more than $200 million since its inception.

Ongoing Law Enforcement Actions

These recent actions are part of a broader trend of law enforcement targeting ransomware operations. Last month, a Europol-led operation focused on 12 suspects in Ukraine and Switzerland linked to LockerGoga, MegaCortex, Dharma, and other ransomware attacks.