The United States continues to notch wins against the seemingly unstoppable threat of ransomware.
The latest, which came on Monday, resulted in the seizure of $6.1 million in ransom payments and the arrest of two individuals who purportedly used ransomware to carry out attacks against companies.
One of those companies happens to be Kaseya, the IT management software company that made headlines after it was hit by ransomware over the July 4th holiday weekend this past summer as part of a supply chain attack involving its Unified Remote Monitoring & Management, or VSA tool. The attack, like last year's SolarWinds attack, another supply chain hack, also involved the exploitation of a previously unknown bug - a zero-day vulnerability and ultimately implicated hundreds of its customers.
The Justice Department announced the actions against Yaroslav Vasinskyi, a Ukrainian connected to the Kaseya attack and Yevgeniy Polyanin, a Russian connected to the REvil (also known as Sodinokibi) ransomware in a press conference on Monday.
In it, the DOJ confirmed that Vasinskyi deployed REvil through Kaseya, which in turn spread it to endpoints on its customer networks and went on to encrypt data on machines.
According to the DOJ, Vasinskyi was taken into custody in October when he crossed into Poland; it's there he awaits extradition to the US. Polyanin hasn't been taken into custody and is still abroad, according to the department. His wanted poster makes it sound like he's residing in Russia, possibly in Barnaul, a city in Siberia, not far from the Kazakhstan border.
The $6.1 million that was seized by law enforcement agencies was Polyanin’s and actually marks less than half of the $13 million he extorted from victims. While none reportedly paid a ransom, many of those victims included agencies and municipalities in Texas that Polyanin hit in 2019.
In that attack, 23 different Texas entities fell victim to REvil ransomware. The incident inhibited agencies ability to do day to day business like carry out payroll activity, view records, process licenses, and so on. It took weeks for the departments to assess the damage, restore the data they could from backed-up files and regain control of their locked systems.
The Texas Department of Information Resources released a statement about the indictment on Monday, stressing how important sharing information is when it comes to thwarting cybercriminals.
“DIR is proud to have worked with our federal partners in this investigation and is thankful for the support of Texas Governor Greg Abbott during the initial response and recovery,“ Amanda Crawford, DIR’s executive director and State of Texas Chief Information Officer, said. “It was this team effort along with advanced preparation that allowed a very critical situation to be resolved quickly and with minimal impact for Texans.”
The Department of Justice's Deputy Attorney General Lisa Monaco was resolute in her stance that the U.S. is keeping its toes to the fire when it comes to tackling ransomware.
“Our message to ransomware criminals is clear: If you target victims here, we will target you,” said Deputy Attorney General Monaco at the press conference on Monday. “The Sodinokibi/REvil ransomware group attacks companies and critical infrastructures around the world, and today’s announcements showed how we will fight back.
The DOJ's Deputy Attorney General Lisa Monaco hinted last week that the department was stepping up its actions to fight ransomware. "In the days and weeks to come, you’re going to see more arrests,” Monaco told the Associated Press in a sit down interview.
"We are here today because in their darkest hour, Kaseya made the right choice and they decided to work with the FBI," Monaco said at a press conference for the arrests on Monday.
President Biden echoed Monaco’s sentiments in a statement released on Monday, applauding the efforts of the DOJ, FBI, Department of State and Department of the Treasury.
"While much work remains to be done, we have taken important steps to harden our critical infrastructure against cyberattacks, hold accountable those that threaten our security, and work together with our allies and partners around the world to disrupt ransomware networks — and my Administration will continue to use every tool available to us to protect the American people and American interests against cyber threats," Biden said.
In addition to the arrests, the US Treasury made a move on Monday, too, designating another virtual currency exchange, Chatex, for its role in aiding financial transactions for ransomware actors. The move follows the Commerce Department's sanctioning of Suex, another virtual currency exchange that's connected to Chatex.