REvil ransomware hacker, Yaroslav Vasinskyi, 22, was arrested last month in a joint announcement today by Attorney General Merrick Garland, Christopher Wray, Director of the FBI, and Adewale Adeyemo, Deputy Secretary of the U.S. Treasury.

Yaroslav Vasinskyi, 22

“REvil,” short for “Ransomware-Evil,” is the name for one of the most “infamous ransomware gangs” on the internet. Vasinski was one of the hackers allegedly involved in the July 2 Sodinokibi/REvil ransomware attack of Kaseya, a U.S. IT software firm. He was arrested on Oct. 8 as he crossed the border from Ukraine to Poland. The U.S. now seeks his extradition. Working with international partners, the three federal agencies recovered approximately $6.1 million in ransom payments.

Monday’s DOJ press release stated in part:

“The department also announced today the seizure of $6.1 million in funds traceable to alleged ransom payments received by Yevgeniy Polyanin, 28, a Russian national, who is also charged with conducting Sodinokibi/REvil ransomware attacks against multiple victims, including businesses and government entities in Texas on or about Aug. 16, 2019.”

Garland told reporters that court documents are now unsealed in Dallas related to the case. A grand jury indictment said Vasinskyi and other co-conspirators “wrote the software, which they first unleashed in April 2019, and regularly refined it.” The press release continued:

“Vasinskyi and Polyanin are charged in separate indictments with conspiracy to commit fraud and related activity in connection with computers, substantive counts of damage to protected computers, and conspiracy to commit money laundering. If convicted of all counts, each faces a maximum penalty of 115 and 145 years in prison, respectively.”

The FBI’s Dallas and Jackson Field Offices are leading the investigation. Reporting by Bloomberg states that the group has been busy staging attacks all over the world.

“The group is accused of staging several attacks this year against major companies and organizations, including Brazilian meat supplier JBS and Miami-based technology company Kaseya. JBS paid an $11 million ransom, while Kaseya said it declined to pay the hackers.”

The DOJ press release explains that “electronic notes” were left on victims’ computers, demanding ransom in return for file recovery. Victims were allegedly told that refusal to pay the ransom meant their stolen data would be posted on the web or sold to third parties.

“Through the deployment of Sodinokibi/REvil ransomware, the defendants allegedly left electronic notes in the form of a text file on the victims’ computers. The notes included a web address leading to an open-source privacy network known as Tor, as well as the link to a publicly accessible website address the victims could visit to recover their files. Upon visiting either website, victims were given a ransom demand and provided a virtual currency address to use to pay the ransom. If a victim paid the ransom amount, the defendants provided the decryption key, and the victims then were able to access their files. If a victim did not pay the ransom, the defendants typically posted the victims’ stolen data or claimed they sold the stolen data to third parties, and victims were unable to access their files.”

According to Director Wray, the FBI eventually secured a universal decryption key that allowed those infected via Kaseya to recover their files without paying a ransom. Europol announced on Nov. 4 the arrest of two individuals suspected of participation in the Sodinokibi/REvil ransomware attacks. The Europol press release stated:

“They are allegedly responsible for 5 000 infections, which in total pocketed half a million euros in ransom payments. Since February 2021, law enforcement authorities have arrested three other affiliates of Sodinokibi/REvil and two suspects connected to GandCrab.”

The tables were turned on REvil in mid-October when the group was “hacked and forced offline by a multi-country operation, according to three private-sector cyber experts working with the United States and one former official,” according to reporting by Reuters. Reuters also reported that “a leadership figure known as “0_neday,” who had helped restart the group’s operations after an earlier shutdown, said REvil’s servers had been hacked by an unnamed party.”

According to BleepingComputer.com, “Other ransomware groups, such as DarkSide and Babuk, shut down voluntarily due to the increased pressure by law enforcement.”

In July, the Justice Department vowed to combat ransomware attacks with an announcement of its first “One-Stop Ransomware Resource at StopRansomware.gov.” The hub promised to consolidate “ransomware resources from all federal government agencies.” Garland stressed the importance of interagency partnership and early and prompt reporting of ransomware attacks. He made clear that the Justice Department will “do everything in our power to identify the perpetrators of ransomware attacks to bring them to justice and to recover the funds they have stolen from the American people.”

Kaseya provides outsourced IT management software to managed service providers (MSPs). MSPs provide software infrastructure to small to mid-size businesses. REvil exploited a bug in MSP-focused software called Virtual System Administrator(VSA). The group then targeted those businesses and their downstream customers, resulting in cascading security vulnerabilities. According to Wired.com:

“In the intervening weeks, victims had effectively two choices: pay the ransom to recover their systems or rebuild what was lost through backups. For many individual businesses, REvil set the ransom at roughly $45,000. It attempted to shake down MSPs for as much as $5 million. It also originally set the price of a universal decryptor at $70 million. The group would later come down to $50 million before vanishing, likely in a bid to lay low during a high-tension moment. When they disappeared, they took their payment portal with them. Victims were left stranded, unable to pay even if they wanted to.”

In a July 6 video, Kaseya CEO, Fred Voccola, addressed “the facts” of the July 2 ransomware attack. While hesitant to minimize damage to those affected, he contended “less than 0.1% of the company’s customers” were affected by the attack. He explained that Kaseya immediately shut down VSA, resulting in painful but necessary damage control for some of his company’s customers. He also stated that only one of the 27 Kaseya platform modules was breached, affecting approximately 50 of Kaseya’s 37,000 direct customers. Voccola shared that it was the “modular nature of Kaseya’s security architecture that prevented the attack from hindering any modules other than VSA.” About “800 to 1500” downstream customers were also affected.

The attack was somewhat reminiscent of the much more catastrophic SolarWinds hack in 2020. In that breach, attackers compromised the vendor’s software resulting in a downstream of “a malicious update that infiltrated about 18,000 government and private networks.”