Skip to content

Illustration by Security Management

The Good Guys Score Wins Against Ransomware Criminals

The United States unsealed court documents on Monday and announced the apprehension of the suspected mastermind behind the most potent REvil (pronounced “are evil”) ransomware attacks.

Couple that with Europol announcing that it apprehended five people suspected of being involved with REvil. This itself comes on the heels of Europol's announcement in late October of the arrest of 12 people charged with various crimes related to ransomware attacks. Corporate security can breathe a sigh of relief, right? Right?

Probably not. Security headlines alongside the REvil arrest include “Hackers with Chinese Links Breach Defense, Energy Targets, Including One in U.S.,” and “NSO Spyware Found on 6 Palestinian Activists’ Phones,” with a major data breach report added for good measure (“Robinhood Says Email Addresses of 5 Million Customers Exposed in Security Breach”).

Alas, the cyber landscape remains filled with peril. Still, at least one Wired reporter wrote an article on how the recent spate of good guys making progress against cyber bad guys will make a real difference. More on that in a moment, but first a look at yesterday’s announcement.

The United States had a sealed indictment charging Yaroslav Vasinskyi for crimes related to the July 2021 attack against Kaseya. Recall that the Kaseya attack affected thousands of companies as Kaseya is an IT company supplying network administration tools and services, which were compromised.

Last month, Polish authorities detained Vasinskyi, a Ukranian, at the request of the United States, which is working to extradite him. The U.S. Department of Justice (DOJ) alleges that Vasinskyi caused the deployment of REvil ransomware code throughout the Kaseya architecture. Kaseya customers were then extorted because Vasinskyi allegedly held their data ransom.

As part of the same announcement, the DOJ charged Russian Yevgeniy Polynin in several REvil-related attacks and seized $6.1 million in  ransomware payments. Polynin remains at-large.

In remarks on the arrest and seizure, U.S. Attorney General Merrick Garland said:

Today, we are unsealing Vasinskyi’s indictment. Vasinskyi’s arrest demonstrates how quickly we will act, alongside our international partners, to identify, locate, and apprehend alleged cybercriminals—no matter where they are located.

Ransomware attacks are fueled by criminal profits. That is why we are not just pursuing the individuals responsible for those attacks. We are also committed to capturing their illicit profits and returning them, whenever we can, to the victims from whom they were extorted.  

And that brings me to our second announcement today. In addition to securing the arrest of Vasinskyi, the Justice Department has seized $6.1 million tied to the ransom proceeds of another alleged REvil ransomware attacker, Russian national Yevgeniy Polyanin.

As set forth in the public filings related to the seizure, Polyanin, whom we also charged by indictment, is alleged to have conducted approximately 3,000 ransomware attacks. Polyanin’s ransomware attacks affected numerous companies and entities across the United States, including law enforcement agencies and municipalities throughout the State of Texas. Polyanin ultimately extorted approximately $13 million from his victims.

The U.S. government was not done, however. The U.S. Treasury Department also announced on Monday sanctions against cryptocurrency company Chatex for its alleged role in facilitating ransomware payments.

As for the winning streak the good guys have built up, and it being a potential sign of things to come, the Wired article interviewed Katie Nickels, who is director of intelligence at the security firm Red Canary.

“I’m cautiously optimistic because of the broad nature of this announcement," she said. "REvil was honestly already on the downswing after the Kaseya incident, but there are still other groups that are really bad right now. Adversaries are going to be looking to see is this a limited action or can law enforcement continue imposing costs?”

The article said it was a positive sign that the U.S. and Europol announcements praised the actions and coordination of Romania and Estonia in assisting with the recent success. The article also noted the cooperation of Kaseya during the attack on its systems, and a changed emphasis on the U.S. approach. Previously, outreach to companies focused on discouraging companies from paying ransoms when their systems are hijacked. The new approach deemphasizes payments and is all about encouraging reporting and collaboration with authorities so law enforcement can act while an event is ongoing.