US DOJ recovers $6 million and indicts two REvil principals

It didn’t take long for the White House’s ransomware initiative to be fruitful, as evidenced by the successful international law enforcement efforts targeting members of the Sodinokibi/REvil criminal enterprise. The Department of Justice (DoJ) unsealed two grand jury indictments on November 8, 2021, on individuals associated with the group – Yaroslave Vasinskyi and Yevgeniy Polyanin– both with Sodinokibi/REvil ransomware.

US Attorney General Merrick Garland, accompanied by Deputy US Attorney General Lisa Monaco, FBI Director Christopher Wray, and Deputy Secretary of the US Treasury Wally Adeyemo, shared the news of the arrest of Vasinskyi by Polish authorities at the request of the United States. A DoJ press release highlighted the efforts of the Ransomware and Digital Extortion Task Force as being key. In addition, teams from within the private sector played a substantive role, includinf those from Microsoft, McAfee and BitDefender.

Additionally, Polyanin, a Russian national still at large, saw $6,123,652.21 disappear from his FTX Trading Limited account on September 10, 2021, pursuant to a “seize property” warrant issued by Judge Rebecca Rutherford of the US District Court, North District of Texas.

Vasinsky was lured to Poland from the Ukraine and arrested in Poland on October 8, 2021. He remains in custody and is now facing extradition by the US in accordance with the extradition treaty between the two countries. On November 4, 2021, two individuals (not yet identified) were arrested in Romania for their role in the REvil enterprise.

“The arrest of Yaroslav Vasinskyi [October 5 in Poland], the charges against Yevgeniy Polyanin and seizure of $6.1 million of his assets, and the arrests of two other Sodinokibi/REvil actors in Romania are the culmination of close collaboration with our international, US government and especially our private sector partners,” said FBI Director Christopher Wray. “The FBI has worked creatively and relentlessly to counter the criminal hackers behind Sodinokibi/REvil. Ransomware groups like them pose a serious, unacceptable threat to our safety and our economic well-being. We will continue to broadly target their actors and facilitators, their infrastructure, and their money, wherever in the world those might be.”

When asked what pretext was used to lure Vasinskiy to Poland, Wray wryly noted how individuals travel for many reasons and that “we” were glad Vasinskiy chose to travel from the Ukraine to Poland. While Garland, in response to the assistance being provided by Russia, declined to comment on ongoing law enforcement efforts, yet still managed to signal to Russia expectations with noting how the expectation of the United States is that any country, which a criminal is present, will assist the United States with their arrest and bringing the individual to justice to answer to their alleged crimes.

Kaseya praised for engaging FBI early

Of particular import to CISOs, was Wray’s laudatory comments on the handling of the REvil ransomware attack by victim, Kaseya when they were attacked on July 2. He applauded Kaseya for having engaged with law enforcement early which allowed the Kaseya and its customers to benefit from an all-government response to “put out the fire.” He also noted how these efforts resulted in the FBI being able to create a decryption key to unlock Kesaya’s customers’ data. This served to answer the question asked in late-September 2021 as to why the FBI held back REvil ransomware keys and with which international partners the FBI was engaged in the coordinated law enforcement action.

Treasury Department issues advisories on virtual currency exchanges supporting criminal activity

Adeyemo noted Treasury’s role in the “whole-of-government effort” against ransomware operators and virtual currency exchanges which support the cyber criminals, as including disruption to digital ecosystems. He also advised that Treasury was issuing a FinCEN Updates Ransomware Advisory, which designates the virtual currency exchange Chatex as being a part of the criminal support effort of the ransomware criminals. In addition to Chatex, Izibits OU, Chatextech SIA and Hightrade Finance ltd, were also designated for providing material support to Chatex’s criminal activity. The advisory notes how Latvia has suspended the operations of Chatextech. Estonia has revoked the license of Izibits OU.

Rewards offered for arrest of DarkSide members

Meanwhile, the State Department has made available a $10 million reward for information leading to the identification or locations of any individual holding a key leadership position within the DarkSide ransomware organization and an additional $5 million for information leading to the arrest or conviction in any country of an individual participating in DarkSide ransomware. It is worth noting that the Department’s Transnational Organized Crime Rewards Program has paid out over $135 million in rewards.

In closing, Garland called upon Congress to create a cyber reporting standard for industry to assist law enforcement in their efforts to thwart cybercrime. He, as did Monaco and Wray emphasized the role to be played by the private sector in the fight against cybercrime. It was repeatedly emphasized that early engagement with government by CISOs results in making available the resources of the “all-of-government” approach.