The Justice Department announced the arrest and unsealed an indictment against Yaroslav Vasinskyi, 22, of Ukraine, in connection with the July 2 ransomware attack against Kaseya, the Florida-based remote IT monitoring provider. Vaskinskyiwas indicted under seal in August and arrested on Oct. 8 when he crossed the border from the Ukraine into Poland.
DOJ also charged a Russian national, Yevgeniy Polyanin, 28, with conducting attacks through the Sodinokibi/REvil ransomware gang against entities in Texas in August 2019. Authorities also seized $6.1 million tied to ransom payments. Polyanin is still believed to be abroad, officials said.
Vasinskyi, who uses a number of online monikers, including "Rabotnik," is charged with helping deploy Sodinokibi/REvil code across a Kaseya platform, which hit customers and encrypted their systems. Vasinskyi and Polyanin were charged in separate indictments with conspiracy to commit fraud and money laundering and face sentences of up to 115 and 145 years, respectively.
The charges are part of a comprehensive effort by the Biden Administration to crack down on nation-state and criminal activity attacking critical industries and government targets in the U.S.
In early October, the DOJ announced the formation of a task force designed to go after criminal cyber gangs and other entities using ransomware, cryptocurrency platforms and other means to attack the U.S.
While the DOJ announced crackdowns against the alleged attackers behind high-profile ransomware attacks, the Treasury designated virtual currency exchange Chatex for facilitating financial transactions for ransomware groups.
Chatex has direct ties to Suex, a cryptocurrency exchange that was sanctioned in September for facilitating transactions for ransomware groups. The Office of Foreign Assets Control designated IZIBITS OU, Chatextech SIA and Hightrade Finance Ltd., which officials say provided material support to Suex and designated Vasinskyi and Polyanin.
In tandem with the other announcements, the State Department offered a reward of up to $10 million for information on any key member of the Sodinokibi/REvil ransomware group.
Attorney General Merrick Garland, speaking at the Monday announcement of charges, said the U.S. is responding with a whole of government approach.
"Together with our partners, the Justice Department is sparing no resource to identify, and bring to justice anyone, anywhere, who targets the United States with a ransomware attack," Garland said.
Sodinokibi/REvil has been a prolific threat actor spreading ransomware globally, Garland said. The threat actors deployed ransomware on about 175,000 computers worldwide and at least $200 million has been paid to the group in ransom thus far.
Polyanin, who has not been arrested but charged, is alleged to be involved in more than 3,000 ransomware attacks, bringing in proceeds of $13 million, according to authorities.
Authorities in Romania arrested two alleged members of the Sodinokibi/REvil operation on Nov. 4.
Deputy AG Lisa Monaco encouraged other companies to cooperate if they are the victims of ransomware attacks, noting that Kaseya's cooperation was critical to bringing the case against the defendants in this new indictment.
"We at Kaseya are grateful for the support and assistance provided by the FBI, as well as the swift action and response by the Department of Homeland Security, Department of Justice and all other involved U.S. government entities, said Dana Liedholm, SVP of corporate marketing at Kaseya.
Leidholm would not comment on specifics of the case but did say the proceeds seized were not related to the Kaseya case.
Defending against sophisticated ransomware threat actors requires a combination of sustained law enforcement activity with meaningful policy actions to deter, detect and disrupt such actions, according to an expert in the use of cryptocurrency.
"Arrests and seizures can have a positive and meaningful impact," Gurvais Grigg, global public sector chief technology officer at Chainalysis, said. "However, no single arrest or action will be the silver bullet solution to ransomware."
The arrests and asset seizures are a positive development by the task force, according to Jamil Jaffer, SVP at IronNet, and founder and executive director of the National Security Institute at George Washington University. However, a key element will be how the U.S. works with its international partners and how the task force engages in follow up actions against additional threat actors.