A federal grand jury returned an indictment Monday against Yaroslav Vasinskyi, 22, a Ukrainian national, for conducting ransomware attacks against multiple victims, including the July 2021 attack against Kaseya, a multi-national information technology software company.
Justice Department seized $6.1 million related to the alleged ransomware attacks.
These payments were received by Yevgeniy Polyanin, 28, a Russian national, who is also charged with conducting Sodinokibi/REvil ransomware attacks against multiple victims, including businesses and government entities in Texas on or about Aug. 16, 2019, according to officials.
Vasinskyi and Polyanin are charged in separate indictments with conspiracy to commit fraud and related activity in connection with computers, substantive counts of damage to protected computers, and conspiracy to commit money laundering.
If convicted of all counts, each faces up to 115 and 145 years in prison, respectively.
“The arrest of Yaroslav Vasinskyi, the charges against Yevgeniy Polyanin and seizure of $6.1 million of his assets, and the arrests of two other Sodinokibi/REvil actors in Romania are the culmination of close collaboration with our international, U.S. government and especially our private sector partners,” said FBI Director Christopher Wray. “The FBI has worked creatively and relentlessly to counter the criminal hackers behind Sodinokibi/REvil. Ransomware groups like them pose a serious, unacceptable threat to our safety and our economic well-being. We will continue to broadly target their actors and facilitators, their infrastructure, and their money, wherever in the world those might be.”
According to the indictments, Vasinskyi and Polyanin accessed the internal computer networks of several victim companies and deployed Sodinokibi/REvil ransomware to encrypt the data on the computers of victim companies.
“Ransomware can cripple a business in a matter of minutes. These two defendants deployed some of the internet’s most virulent code, authored by REvil, to hijack victim computers,” said Acting U.S. Attorney Chad E. Meacham for the Northern District of Texas.
Adding, “In a matter of months, the Justice Department identified the perpetrators, effected an arrest, and seized a significant sum of money. The Department will delve into the darkest corners of the internet and the furthest reaches of the globe to track down cybercriminals.”
According to court documents, Vasinskyi was allegedly responsible for the July 2 ransomware attack against Kaseya.
- Caused the deployment of malicious Sodinokibi/REvil code throughout a Kaseya product that caused the Kaseya production functionality to deploy REvil ransomware to “endpoints” on Kaseya customer networks.
- After the remote access to Kaseya endpoints was established, the ransomware was executed on those computers, which resulted in the encryption of data on computers of organizations around the world that used Kaseya software.
- Through the deployment of Sodinokibi/REvil ransomware, the defendants allegedly left electronic notes in the form of a text file on the victims’ computers.
- The notes included a web address leading to an open-source privacy network known as Tor, as well as the link to a publicly accessible website address the victims could visit to recover their files.
- Upon visiting either website, victims were given a ransom demand and provided a virtual currency address to use to pay the ransom.
- If a victim paid the ransom amount, the defendants provided the decryption key, and the victims then were able to access their files.
- If a victim did not pay the ransom, the defendants typically posted the victims’ stolen data or claimed they sold the stolen data to third parties, and victims were unable to access their files.
- The $6.1 million seized from Polyanin is alleged to be traceable to ransomware attacks and money laundering committed by Polyanin through his use of Sodinokibi/REvil ransomware. The seizure warrant was issued out of the Northern District of Texas. Polyanin is believed to be abroad.
On Oct. 8, Vasinskyi was taken into custody in Poland where he remains held by authorities pending proceedings in connection with his requested extradition to the United States, pursuant to the extradition treaty between the United States and the Republic of Poland.
In parallel with the arrest, interviews and searches were carried out in multiple countries, and would not have been possible without the rapid response of the National Police of Ukraine and the Prosecutor Governor’s Office of Ukraine.
The FBI’s Dallas and Jackson Field Offices are leading the investigation with close cooperation with Europol and Eurojust, who were an integral part of the coordination.
Investigators and prosecutors from several jurisdictions that helped in this case included:
- Romania’s National Police and the Directorate for Investigating Organised Crime and Terrorism
- Canada’s Royal Canadian Mounted Police
- France’s Court of Paris and BL2C (anti-cybercrime unit police)
- Dutch National Police; Poland’s National Prosecutor’s Office, Border Guard, Internal Security Agency, Ministry of Justice
- The governments of Norway and Australia