US amps up war on ransomware with charges against REvil attackers

2 years ago 353

One idiosyncratic fingered for the July 2021 onslaught against Kaseya is successful custody, portion the different idiosyncratic is inactive astatine large.

The United States has taken different important ineligible measurement successful its conflict against ransomware. On Monday, the US Department of Justice announced ceremonial charges against 2 overseas nationals for their relation successful deploying REvil ransomware attacks against organizations passim the country. Based connected the indictments, the 2 individuals accessed the networks of their intended victims and utilized the Sodinokibi/REvil ransomware to encrypt delicate information and clasp it hostage.

SEE: Ransomware: What IT pros request to cognize (free PDF) (TechRepublic)

A 22-year-old Ukrainian nationalist named Yaroslav Vasinskyi has been charged with aggregate ransomware incidents, including the July 2021 onslaught against IT endeavor steadfast Kaseya.

In that campaign, the attackers exploited a information vulnerability successful Kaseya's VSA product, a programme utilized by managed work providers (MSPs) to remotely show and administer IT services for customers. Vasinskyi was arrested successful Poland connected October 8 and is present being held by authorities portion awaiting extradition to the US.

Also charged by the State Department is 28-year-old Russian nationalist Yevgeniy Polyanin, who allegedly conducted Sodinokibi/REvil ransomware attacks against a assortment of victims, including businesses and authorities agencies successful Texas successful 2019. Polyanin is presently inactive astatine ample but is believed to beryllium successful Russia, perchance successful the Western Siberian metropolis of Barnaul, according to the FBI's Wanted notice.

"It's encouraging to perceive that the Justice Department was capable to way down those liable for the Kaseya attack," said Hank Schless, elder manager for information solutions astatine Lookout. "Hopefully this is indicative of much predominant discovery, location, and apprehension of cybercriminals. Even if an onslaught is attributed to a peculiar group, the individuals wrong that radical tin beryllium astir intolerable to way down. These arrests are a question successful the close direction."

The State Department said that it seized $6.1 cardinal successful funds allegedly traceable to ransomware payments received by Polyanin. The funds were besides connected to wealth laundering tactics allegedly committed by Polyanin to effort to disguise the amerciable payments.

Vasinskyi and Polyanin are charged with conspiracy to perpetrate fraud and related activities, substantive counts of harm to protected computers and conspiracy to perpetrate wealth laundering. If convicted connected each counts, they look maximum penalties of 115 and 145 years successful prison, respectively.

As described successful one of the indictments, Vasinskyi and Polyanin were some accused of being affiliates of the REvil ransomware group, which acts arsenic a Ransomware-as-a-Service (RaaS) operation. In this process, REvil radical members workplace retired the indispensable tools to different cybercriminals who transportation retired the existent attacks.

"The Ukrainian who the US wants to beryllium extradited is highly apt 1 of the affiliates arsenic stated and not portion of the halfway gang," said Jon DiMaggio, main information strategist astatine Analyst1. "The indictment besides stated Vasindkyi 'deployed Sodinokibi ransomware.' If helium was down the portion of the cognition successful which helium deployed malware, helium was a hired hacker (AKA, an affiliate). The halfway radical ran the operations but did not bash the soiled enactment of breaching and infecting targets."

SEE: Infographic: The 5 phases of a ransomware attack (TechRepublic)

Both Vasinskyi and Polyanin allegedly directed their victims to a website wherever they could retrieve the stolen and encrypted files. If the unfortunate paid the demanded ransom, the files would beryllium decrypted. If not, the attackers either publically leaked the stolen files oregon claimed that they sold them to a 3rd party.

"Our connection to ransomware criminals is clear: If you people victims here, we volition people you," Deputy Attorney General Monaco said. "The Sodinokibi/REvil ransomware radical attacks companies and captious infrastructures astir the world, and today's announcements showed however we volition combat back. In different occurrence for the department's precocious launched Ransomware and Digital Extortion Task Force, criminals present cognize we volition instrumentality distant your profits, your quality to travel, and—ultimately—your freedom."

In a related matter, Europol announced the arrest of 3 individuals suspected of deploying Sodinokibi/REvil and GandCrab ransomware attacks. As portion of a planetary inaugural known arsenic Operation GoldDust, 2 radical were arrested by Romanian authorities, portion the different was arrested successful Kuwait.

Following a drawstring of high-profile attacks by REvil, DarkSide and different transgression enterprises, the US authorities and planetary instrumentality enforcement person vowed to combat back. The latest indictments by the State Department travel different caller initiatives that officials judge amusement advancement successful the warfare against this destructive benignant of cybercrime.

Earlier this month, the BlackMatter ransomware pack claimed that it was disbanding owed to unit from ineligible authorities. Around the aforesaid time, the US authorities announced a $10 cardinal reward for accusation starring to the apprehension of DarkSide ransomware pack leaders. And successful October, the REvil pack reportedly lost entree to immoderate of its servers aft they were taken implicit by instrumentality enforcement officials successful the US and different countries successful an ongoing operation.

SEE: Ransomware attack: Why a tiny concern paid the $150,000 ransom (TechRepublic)

REvil and different ransomware groups specified arsenic DarkSide person been linked with Russia, either operating connected behalf of the country's GRU subject quality portion oregon pulling disconnected attacks with the Kremlin's tacit permission. Those ties person challenged the Biden administration, which has been trying to person Russian President Vladimir Putin to instrumentality a tougher stance against ransomware attackers.

"The halfway radical that runs REvil operations resides successful Russia," DiMaggio said. "Their comments connected forums and statements successful media interviews suggest they person an allegiance to Russia and bash not fearfulness the US. The individuals arrested were extracurricular Russia. However, assorted affiliates reside successful Russia, Ukraine and different eastbound European countries and enactment REvil operations."

In summation to the efforts by instrumentality enforcement, organizations request to support and unafraid themselves from information breaches and ransomware attacks. Otherwise, these transgression groups volition simply proceed to carve retired a steadfast concern contempt the risks of apprehension and prosecution. Toward that end, Schless offers immoderate adjuvant insight:

"Most ransomware attacks commencement with compromised idiosyncratic credentials," Schless said. "The astir communal mode for attackers to bargain login details is done mobile phishing wherever they tin people employees crossed a plethora of idiosyncratic and enactment apps. Whether it's SMS, email, societal media, oregon third-party messaging platforms, attackers person grown adept astatine targeting america with societal engineering attacks that person america to log successful to bogus platforms and unknowingly stock our credentials. Once the attackers person access, they're escaped to determination laterally astir the infrastructure until they find the invaluable information they desire."

Cybersecurity Insider Newsletter

Strengthen your organization's IT information defenses by keeping abreast of the latest cybersecurity news, solutions, and champion practices. Delivered Tuesdays and Thursdays