Russia-linked Revil hackers hit with arrests by US, allies
WASHINGTON — After vowing for months to crack down on ransomware, the Biden administration and allied countries unleashed a string of actions Monday against one of the most prolific hacking groups and also issued sanctions against cryptocurrency entities that allegedly enable such attacks.
European authorities announced that police in Romania and South Korea had arrested five people allegedly associated with the
Russia-linked ransomware group commonly known as Revil or Sodinokibi. In the U.S., a Ukrainian national, Yaroslav Vasinkyi, and a Russian national, Yevgeniy Polyanin, were indicted for alleged involvement in Revil ransomware attacks, according to Justice Department court documents unsealed Monday in Dallas.
“Together with our partners, the Justice Department is sparing no resource to identify and bring to justice anyone, anywhere, who targets the United States with a ransomware attack,” Attorney General Merrick Garland said at a news conference in Washington. “The U.S. government will continue to aggressively pursue the entire ransomware ecosystem and increase our nation’s resilience to cyberthreats.”
While the arrests and associated actions demonstrate a significant capability of governments to disrupt hackers, it remained unclear how much of an impact they’ll have on preventing future ransomware attacks. Cybersecurity experts warn that hackers operate in loosely affiliated groups, often in countries like Russia where they can evade law enforcement.
Jon Dimaggio, chief security strategist at Analyst1, said the indictments can be important in slowing down groups like Revil. “But at the end of the day, there is no shortage of hackers for hire that want to make money by getting in with these guys,” he said.
“Maybe they’ll think for a second longer before they join, if there’s law enforcement action against a specific group. Time will tell,” he said. “But criminals are criminals. They’re generally not afraid of law enforcement.”
In Washington, the Treasury Department announced actions intended to disrupt ransomware attacks and the virtual currency exchanges that launder the illicit proceeds. The State Department offered a reward of as much as $10 million for information leading to the identification or location of Revil’s leaders and as much as $5 million for information leading to the arrest or conviction of individuals who participated in attacks involving Revil’s malware.
“Revil,” short for “Ransomware-evil,” is known as one of the world’s most infamous ransomware gangs. The group is accused of staging several attacks this year against major companies and organizations, including Brazilian meat supplier JBS SA and Miami-based technology company Kaseya. JBS paid an $11 million ransom, while Kaseya said it declined to pay the hackers.
In ransomware attacks, hackers encrypt a victim’s files and then demand payment to unlock them. Reported ransomware payments in the U.S. reached $590 million in the first half of 2021, compared with a total of $416 million in a 2020, according to the Treasury Department.
Following a string of high-profile attacks, President Joe Biden vowed to make curbing ransomware a priority for his administration. At a June summit, he warned his Russian counterpart, Vladimir Putin, that Russian hackers should steer clear of 16 critical sectors of the US. economy. Last month, his administration enlisted more than 30 countries in an effort to curb ransomware.
On Monday, Biden said he was following through on his promise to Putin.
“We are bringing the full strength of the federal government to disrupt malicious cyber activity and actors, bolster resilience at home, address the abuse of virtual currency to launder ransom payments, and leverage international cooperation to disrupt the ransomware ecosystem and address safe harbors for ransomware criminals,” Biden said in a statement.
The arrests by European and South Korean law enforcement involved so-called Revil affiliates. Ransomware groups often provide their malware to others, called affiliates, who then target victims and pay the group a cut of the illicit proceeds. Europol said that law enforcement agencies had identified the alleged affiliates of Revil after seizing infrastructure used by the group and carrying out investigative methods such as wiretapping.
Romanian authorities arrested two alleged affiliates of the group on Thursday, according to a statement released Monday by European law enforcement agency Europol. A further three arrests of Revil suspects were made earlier this year, Europol said.
The arrests stemmed from an international investigation named GoldDust, which involved law enforcement agencies from 17 countries, including the U.S., the U.K., France and Germany. The alleged hackers are suspected of involvement in about 5,000 ransomware infections and received about half a million Euros ($579,000) in ransom payments.
In the Texas indictments, Vasinskyi and Polyanin were charged with conspiracy to commit fraud and money laundering, as well as other computer crimes, in connection with Revil ransomware attacks against several U.S. businesses. Prosecutors allege the two “knowingly and willfully” conspired to intentionally damage computer systems among at least nine firms in seven states.
The Justice Department said Monday it seized $6.1 million in ransom payments tied to Polyanin, and the FBI added a “wanted” poster for him to its website.