U.S. seizes over $6 million from ransomware attacks

The Justice Department announced Monday that U.S. officials have seized more than $6 million in cryptocurrency and arrested two individuals they say are behind the July 4 weekend REvil ransomware attacks, in which the hacking of a Florida-based software firm Kaseya infected more than a thousand businesses worldwide. 

Ukrainian National Yaroslav Vasinskyi was arrested in Poland last month after crossing over the Ukrainian border and has been indicted on 11 federal counts for allegedly creating and utilizing the ransomware program colloquially known as REvil to demand hundreds of thousands of dollars from 10 American entities and companies.

"The Poles have been terrific partners. We're very grateful for their assistance," FBI Director Christopher Wray told reporters Monday.

Russian national Yevgeniy Igorevich Polyanin is also accused of "authoring" the REVIL ransomware and is charged with 14 counts of conspiracy to commit fraud, intentional damage to a protected computer, and money laundering. U.S. officials alleged the cybercriminal conducted 3,000 ransomware attacks in total. According to court documents, Polyanin used REvil to infiltrate more than a dozen government entities in August of 2019.  

"Today, and now for the second time in 5 months, we announce the seizure of digital proceeds of ransomware deployed by a transnational criminal group," Attorney General Merrick Garland said. "This will not be the last time. The U.S. government will continue to aggressively pursue the entire ransomware ecosystem and increase our nation's resilience to cyber threats."

In May, the federal government recovered approximately $2.3 million dollars in cryptocurrency from Russia-based hacking group Darkside, after cybercriminals had attacked the country's largest fuel pipeline, prompting gas shortages across the southeastern U.S.

Garland announced Monday that REvil ransomware alone has been deployed on approximately 175,000 computers worldwide, with at least $200 million paid in ransom. 

According to the two separate indictments unsealed Monday in the Northern District of Texas, Vasinskyi, Polyanin and unnamed co-conspirators designed the malicious computer program, also called Sodinokibi, with the intent of using it to hold computer systems hostage in exchange for cryptocurrency like Bitcoin and Monero.

Prosecutors allege the program's designers used it to "infect victims' computers in various ways, including by deploying phishing emails to collect the recipients' credentials and to deliver malware." Once the hackers gained sufficient access to the networks, they allegedly encrypted the files and held the then-encrypted information on the computers as ransom, demanding cryptocurrency in return for decryption keys.

The indictment alleges Vasinskyi held the encrypted data of one company from Fairfield, New Jersey, for $700,000 ransom.

In some instances, to prove to the attacked companies that their threats were legitimate, investigators say the hackers posted some of the information they gathered on a blog in an attempt to further threaten their victims.

In all, the men are accused of using REvil to attack dozens of protected computer networks in the government, nonprofit, financial services, and information technology sectors, including the Forida-based Kaseya for which Vasinskyi is allegedly responsible. 

Polyanin, of Russia, remains at large. 

If convicted of all counts, each faces a maximum penalty of 115 and 145 years in prison, respectively.

Alex Iftimie, a former national security official at the Department of Justice, tells CBS News that Monday's action has "lifted the veil of anonymity" that typically shields cyber criminals. The arrest of Vasinskyi could tip the scale for would-be hackers considering joining a ransomware group. 

"The U.S. government has done a lot here to change the risk calculus for ransomware actors who are thinking, 'I too can have a Maserati if I engage in this kind of conduct," Iftmie, a partner at Morrison & Foerster, added. 

Along with the Kaseya attack, the FBI formerly attributed a May ransomware attack on JBS USA, to REvil. The world's largest meat processing company announced in June that it paid an $11 million ransom to REvil cybercriminals after it was forced to halt cattle-slaughtering operations at 13 of its meat processing plants.

Earlier this year, REvil reportedly demanded $50 million from Apple ahead of its product launch after hacking one of its suppliers, Quanta Computer. 

In 2020, ransomware payments reached over $400 million, according to the FBI, a nearly 21% increase in reported ransomware cases and a 225% increase in associated losses compared to 2019. 

Monday's cyber crackdown represents a significant step in the Biden administration's long-term mission to counter ransomware attacks, which began to proliferate during the pandemic, culminating in a number of critical infrastructure breaches earlier this year.

But while ransomware attacks continue, law enforcement's success in tracking down perpetrators has led some of the actors to cool down operations in recent months.

U.S. Cyber Command, the Department of Defense's offensive arm, targeted REvil's servers last month, prompting the cybercriminals to shut down their website used to extort victims, according to The Washington Post.

Last week, Romanian authorities arrested two more alleged REvil operatives, Europol announced Monday. South Korean authorities extradited a Russian man accused of participating in a different cyber criminal ring to the United States, last month.

In June, President Biden pressured Russian President Vladimir Putin to stop giving safe harbor to cybercriminals in Russia, after a slew of cyber attacks. 

National Security Agency Director General Paul Nakasone said last week it was "too soon to tell" if the Kremlin has facilitated the international hunt for cybercriminals after the United States handed over names of wanted suspects.

Kaseya Senior Vice President Dana Liedholm thanked the FBI for its help in pursuing the the cyber thieves responsible for July's supply chain hack.  "From day one, the FBI has, and continues to be, a great partner to us," Liedholm said in a statement.

Wray called Monday's cyber crackdown "yet another example highlighting why the public needs breach reporting legislation that provides the FBI real time access to information about ransomware attacks." 

On Thursday, a bipartisan group of senators moved to include a provision in the defense budget that would require certain critical infrastructure groups to report major cyber incidents to the government within 72 hours.

The amendment, written by top Democrats and Republicans on the Senate Homeland Security and Governmental Affairs Committee and Senate Intelligence Committee, also requires certain infrastructure groups, nonprofit organizations, state and local governments, and businesses report ransom payments made to cybercriminals within 24 hours.