The Department of Justice on Monday unsealed charges against two foreign nationals, a Russian and a Ukrainian, accused of stealing millions by orchestrating ransomware attacks in the U.S. and around the globe.
Attorney General Merrick Garland said during a press conference that the department charged Yaroslav Vasinsky, 22, of Ukraine last month for his alleged involvement in 2,500 ransomware attacks resulting in $2.3 million in ransom payments.
According to the grand jury indictment, Mr. Vasinsky is tied to the Russian-backed cybergang REvil Group that began infecting computers with REvil ransomware, also known as Sodinokibi, in 2019.
He is charged in connection with a cyberattack against Miami-based software company Kaseya on July 2. Mr. Garland said the cybergang received at least $200 million in ransom payments as a result of the attack, which the company said affected nearly 1,500 businesses downstream from its customers.
Mr. Vasinsky was charged six weeks after the July attack, which Mr. Garland said “demonstrates how quickly we will act alongside our international partners to identify, locate and apprehend alleged cybercriminals, no matter where they are located.”
He was arrested last month by Polish authorities while attempting to cross the border from Ukraine into Poland. The DOJ has requested that he be extradited to the U.S.
The Justice Department also unsealed charges against Yevgeniy Polyanin, 28, of Russia for his alleged role in extorting upwards of $13 million through more than 3,000 REvil-linked cyberattacks against U.S. companies, law enforcement agencies and municipal government entities.
Mr. Garland said the department has seized $6.1 million tied to attacks. Mr. Polyanin has not yet been arrested and he is “believed to be abroad,” according to the department.
Both Mr. Vasinsky and Mr. Polyanin are charged with conspiring to commit intentional damage to protected computers and to extort in relation to that damage, causing intentional damage to protected computers and conspiring to commit money laundering. If convicted of all charges, they each face a maximum penalty of 115 and 145 years in prison, respectively.
The attorney general added that he is urging Congress to establish a national standard for reporting “significant” cyberattacks that would require the reported attacks be shared with the Justice Department.
The charges are part of a global law enforcement effort on cyberattacks dubbed Operation GoldDust.
European authorities announced Monday that the operation involving 17 countries has resulted in the arrest of seven hacking suspects since February.
Romanian authorities last week arrested two people allegedly responsible for deploying REvil ransomware and obtaining more than $577,000 in ransom payments, according to Europol.
Three other suspected REvil affiliates and two suspected affiliates of the Russian-linked cyber gang GandCrab reportedly have been arrested since February.
“All these arrests follow the joint international law enforcement efforts of identification, wiretapping and seizure of some of the infrastructure used by Sodinokibi/REvil ransomware family, which is seen as the successor of GandCrab,” Europol said.
Ransomware gangs’ members have overlapping and shifting allegiances, and REvil’s operation often obscured precisely who was responsible for specific cyberattacks. REvil used a ransomware-as-a-service model that involved developers of malicious software and affiliates deploying it sharing profits made by extorting ransom payments from victims who sought restored access to their systems and data.
Kimberly Goody of Virginia-based cybersecurity firm Mandiant says while the recent actions targeting REvil-affiliated actors are “significant,” some countries may still “take a position of strategic tolerance allowing ransomware operations to continue without interference as long as they don’t target domestic interests.”
“This ultimately means that not all ransomware threat actors are going to be risk averse as a result of recent actions, especially given how lucrative they have become,” Ms. Goody, director of financial crime analysis, said in a statement on Monday. “However, imposing costs through arrests and sanctions is important to altering the cost-benefit analysis for ransomware threat actors as a whole.”
Operation GoldDust includes officials from Europol, Eurojust, Interpol and countries including Australia, Belgium, Canada, France, Germany, the Netherlands, Luxembourg, Norway, Philippines, Poland, Romania, South Korea, Sweden, Switzerland, Kuwait, the United Kingdom and the United States.
• Ryan Lovelace contributed to this report.