US charges Ukrainian and Russian over cyberattacks

The US justice department has charged a suspect from Ukraine and a Russian national over a July ransomware attack on an American company, according to indictments made in court filings on Monday, and has seized $6m in ransom payments.

The latest US actions follow a slew of measures taken to combat ransomware that earlier in 2021 hit big companies, including Colonial Pipeline, the largest fuel pipeline in the US, and crippled fuel delivery for several days in the US southeast.

Yaroslav Vasinskyi, a Ukrainian national arrested in Poland in October, will face US charges for deploying ransomware known as REvil, which has been used in hacks that have cost US firms millions of dollars, the court filing showed.

REvil gained notoriety as the Russian group behind the ransomware attack against meatpacker JBS.

Vasinskyi conducted a ransomware attack over the July 4 weekend on Florida-based software firm Kaseya that infected up to 1,500 businesses around the world, according to the charges filed in the US district court for the northern district of Texas.

Vasinskyi and another alleged REvil operative, Russian national Yevgeniy Polyanin, were charged with conspiracy to commit fraud and conspiracy to commit money laundering, among other charges.

The treasury department also said the two operatives face sanctions for their role in ransomware incidents in the US, as well as a virtual currency exchange called Chatex “for facilitating financial transactions for ransomware actors”.

Vasinskyi’s alleged July 2021 hacking of Kaseya was one of the most widespread ransomware attacks and involved a widely used software tool made by the IT company. Many Kaseya customers were infected at once with REvil encryption. Some paid ransoms, though a master decryption key was eventually recovered by authorities and distributed weeks later.

Deputy attorney-general Lisa Monaco credited Kaseya for its help in the investigation. “We are here today because in their darkest hour, Kaseya made the right choice and they decided to work with the FBI ... in doing so, we were able to identify and help many victims of this attack.”

The treasury said more than $200m in ransom payments were paid in bitcoin and monero. It added that Latvian and Estonian government agencies were vital to the investigation.

Vasinskyi, 22, was being held in Poland pending US extradition proceedings, while Polyanin, 28, remained at large.

Reuters could not reach any legal representatives for the two, and no lawyers were listed on the indictments.

Up to 1,500 businesses around the world have been affected by ransomware attacks centred on Kaseya. Such companies typically handle back-office work for companies too small or modestly resourced to have their own tech departments.

The US indictment of the Ukrainian hacker said he and other conspirators started deploying hacking software around April 2019 and “regularly” updated and refined it. The indictment also accused the hacker of laundering money obtained through a hacking extortion scheme.

Europol said earlier on Monday that Romanian authorities on November 4 arrested two individuals suspected of cyberattacks deploying the REvil ransomware. Since February, law enforcement authorities have arrested three other affiliates of REvil, Europol said.

Twelve suspects believed to have mounted ransomware attacks against companies or infrastructure in 71 countries were “targeted” in raids in Ukraine and Switzerland, Europol said on Friday.

Reuters