According to court records released on Monday, the US Justice Department indicted a Ukrainian citizen and a Russian in one of the deadliest ransomware assaults on American targets.
The latest US efforts come after a flurry of measures to tackle a surge in ransomware attacks that have hit numerous major corporations, including an attack on the country’s largest fuel pipeline, which paralyzed fuel deliveries for several days.
Ukrainian Yaroslav Vasinskyi, who was arrested in Poland last month, was accused of breaking into Florida software company Kaseya over the July 4 weekend, according to an indictment.
He and his colleagues then transmitted REvil ransomware to as many as 1,500 Kaseya clients at the same time, encrypting their data and causing some to shut down for days, according to the report.
Vasinskyi is accused of infiltrating the victims’ businesses and installing encryption software developed by the core REvil group. REvil handled the ransom discussions himself, splitting the money with affiliates such as Vasinskyi. Using this strategy, the renowned ransomware group was able to extract cryptocurrency from a number of businesses.
Targeting affiliates rather than the core gangs, according to Kimberly Goody, director of financial crime analysis at security firm Mandiant, could be more effective because their talents are more valuable than encryption software, which is common. Some affiliations collaborate with a variety of gangs.
The arrest was part of a larger continuing operation involving the FBI, Europol, and national police organizations across Europe, with the assistance of private security firms.
According to Reuters, the joint operation penetrated REvil, which was also involved in an attempt against leading global meatpacker JBS SA, and officials seized $6 million in ransom payments.
Last month, REvil and a rival group implicated in the Colonial Pipeline hack announced their demise. According to the indictment, the Ukrainian hacker and other accomplices began installing hacking software in April 2019 and continued to upgrade and polish it on a regular basis. He allegedly also laundered money earned from the extortion plot, according to the report. Europol stated earlier on Monday that Romanian authorities arrested two more people accused of using the REvil ransomware in attacks on Nov. 4. According to Europol, three more persons have been arrested in South Korea in connection with REvil and two related ransomware variants. Europol said on Friday that 12 persons thought to have carried out ransomware attacks against firms or infrastructure in 71 countries were “targeted” in operations in Ukraine and Switzerland.