WASHINGTON – Justice Department officials Monday announced indictments against two alleged ransomware kingpins responsible for thousands of attacks and recovered more than $6 million in cryptocurrency payments.
One of the suspects, Yaroslov Vasinkyi, a 22-year-old Ukrainian national, was arrested last month by Polish authorities and is accused of unleashing ransomware known as Sodinokibi/REvil against Kaseya, an information software company, in July.
Attorney General Merrick Garland said Vasinskyi was charged with authoring the ransomware, encrypting the victim’s computers and laundering money paid in ransom. Vasinskyi was arrested Oct. 8 by Polish officials, and American authorities have requested his extradition to face charges in the U.S.
“Vasinskyi’s arrest demonstrates how quickly we will act alongside our international partners to identify, locate and apprehend alleged cybercriminals, no matter where they are located,” Garland said. “We are also committed to capturing their illicit profits and returning them whenever we can to the victims who were extorted.”
Authorities also announced a separate indictment against Yevgyeniy Igoryevich Polyanin, 28, a Russian national who remains at large and is accused of launching 3,000 cyber attacks and attempting to extort at least $13 million from victims, which included U.S. law enforcement agencies, municipalities and other entities.
The indictment charges Polyanin with attacks launched throughout Texas in August 2019. He faces charges similar to those leveled against his Ukrainian counterpart, including conspiracy to commit damage to protected computers and conspiracy to commit money laundering.
Justice officials seized $6.1 million in ransom proceeds traced to Polyanin, Garland said.
“This will not be the last time,” Garland said of the recovery of money. “The U.S. government will continue to aggressively pursue the entire ransomware ecosystem and increase our nation’s resilience to cyber threats.”
The Treasury Department also announced sanctions to discourage and prevent ransomware. And the State Department announced rewards for information tracking down cybercriminals.
The announcements came the same day Europol, the European Union’s law enforcement agency, announced that Romanian authorities had arrested two people Thursday suspected of cyber attacks. The attacks resulted in 5,000 infections and 500,000 euros in ransom payments.
Garland said prompt reporting of ransomware incidents helps track bad actors and prevent other attacks. He urged Congress to create a national standard for reporting significant cyber incidents and to require the reported information be shared immediately with the Justice Department.
“Our message today is clear: the United States, together with our allies, will do everything in our power to identify the perpetrators of ransomware attacks, to bring them to justice and to recover the funds they have stolen from the American people,” Garland said.
The attacks were blamed on ransomware called Sodinokibi/REvil. Since February, the Europol investigation have arrested three other affiliates of Sodinokibi/REvil and two suspects connected to another strain of ransomware called GandCrab that infected a combined total of 7,000 victims.
South Korea arrested three affiliates of both strains of ransomware, in February, April and October. Another affiliate was arrested in Europe in October. And Kuwaiti authorities arrested a GandGrab affiliate on Thursday.
The investigation involving 17 countries including the U.S. identified suspects, wiretapped and seize of some equipment of Sodinokibi/REvil, which Europol said is seen as the successor to GandCrab.
The countries that participated in the investigation were Australia, Belgium, Canada, France, Germany, the Netherlands, Luxembourg, Norway, Philippines, Poland, Romania, South Korea, Sweden, Switzerland, Kuwait, the United Kingdom and the United States.
The Justice Department has faced challenges in pursuing international hackers because many operate in countries that don’t extradite their own citizens to the U.S. for prosecution.
Deputy Attorney General Lisa Monaco appeared to foreshadow Monday’s announcement in an interview with The Associated Press last week, saying that “in the days and weeks to come, you’re going to see more arrests.”
REvil had been linked to ransomware that targeted the world’s largest meat producer, Brazil-based JBS SA, and an attack that snarled businesses worldwide around July Fourth.
JBS resumed operations in June after servers in North America and Australia were targeted. Backup servers weren’t affected and the company said it was not aware of any customer, supplier or employee data being compromised.
Also in June, the Justice Department seized $2.3 million in cryptocurrency from a payment made by Colonial Pipeline following a ransomware attack. The attack had forced the company to temporarily halt operations for nearly a week, creating fuel shortages in parts of the country and panic buying in the Southeast.
“We will be relentless in our mission to investigate, to disrupt and to prosecute ransomware attacks,” Monaco said. “Today, we are back to tell the American people that we have done it again.”