Law enforcement agencies around the world have made a series of arrests in the past five days that together constitute one of the largest law enforcement crackdowns on suspected ransomware hackers to date.
The U.S. on Monday charged a Russian national and a Ukrainian national who was arrested in Poland with working for REvil, a ransomware gang that has operated with near-impunity since at least 2019. And Romania, South Korea and Kuwait have arrested people alleged to be affiliated with REvil since Thursday.
Some of REvil’s highest-profile hacks include those of JBS, a major U.S. meat supplier; Quanta, a Taiwanese manufacturer that supplies Apple computers; and Kaseya, a software company. The Kaseya hack allowed REvil to gain access to hundreds of companies.
The U.S. and the European Union announced seven arrests Monday, with each person accused of deploying malicious software for REvil.
The U.S. is trying to put at least one of the suspects in a U.S. prison. The Treasury Department alleged Monday that the man, Yaroslav Vasinskyi, a Ukrainian national who was arrested in Poland last month and was wanted by the U.S., deployed REvil ransomware and said it had sanctioned him. It also charged and sanctioned a Russian national, Yevgeniy Polyanin, who is alleged to have deployed REvil against unnamed U.S. companies.
The Treasury Department also announced sanctions against a cryptocurrency exchange, Chatex, which is alleged to have helped hackers launder bitcoin payments from their victims into cash. Chatex, which didn’t immediately respond to a Telegram message requesting comment, was down on Monday.
The U.S. also has recovered $6.1 million in extorted funds from REvil, Attorney General Merrick Garland said Monday at a news conference. The group has received more than $200 million total in its operations, he said.
President Joe Biden praised the indictments and the sanctions in a statement Monday afternoon.
“We are bringing the full strength of the federal government to disrupt malicious cyber activity,” Biden said.
“While much work remains to be done, we have taken important steps to harden our critical infrastructure against cyberattacks, hold accountable those that threaten our security, and work together with our allies and partners around the world to disrupt ransomware networks,” he said.
Romanian authorities arrested two other people alleged to be REvil affiliates on Thursday, Europol announced Monday. In addition, Kuwaiti authorities arrested another person accused of being a criminal hacker tied to REvil on Thursday. And South Korea has quietly been arresting people alleged to be REvil hackers based there: one each in February, April and October.
South Korea has had far more REvil infections than any other country, said Brett Callow, a ransomware analyst at the cybersecurity company Emsisoft, primarily because hackers have deployed the ransomware software against thousands of individual homes.
While it is far from the only ransomware group that regularly terrorizes victims around the world, REvil had already found itself in U.S. crosshairs. Members complained last month that some of their systems had been hijacked, unaware that they were under attack from U.S. Cyber Command, home of the country’s most effective offensive hacking operations, The Washington Post reported.
The coordinated international arrests were announced less than a month after the Biden administration hosted a first-of-its-kind international Zoom consortium on tackling ransomware. Poland, Romania, South Korea and Ukraine all attended. Russia, widely believed to be the world’s biggest haven for ransomware hackers, wasn’t invited.
Alexandru Cosoi, the senior director on the investigation and forensics unit at the cybersecurity company Bitdefender, which assisted law enforcement agencies with the investigation, said the arrests were the culmination of years of work tracking REvil.
“We studied the criminals, we studied the affiliates, we studied the infrastructure, and every time we had something to provide to law enforcement we provided it to the entire investigation group,” Cosoi said.
Notably, no Russian nationals were reported to have been arrested. The U.S. has frosty relations with Russia, which it has struggled to persuade to prosecute cybercriminals who attack foreign entities from within its borders.
“It’s believed that the administrators, the developers, the people that actually made the virus — the backend platforms, the payment platforms, the infrastructure — these are Russian-speaking. They’re hosting in Russian. Their communications are in Russian,” Cosoi said.
The broad scope of the arrests still represents only a fraction of the threat ransomware poses, said Joe Slowik, the senior manager of threat intelligence at the computer networking company Gigimon.
“We will likely observe short-term disruptions and friction, with some ‘lower level’ entities potentially exiting the game, without having a significant effect on long-term trends of ransomware activity,” Slowik said.
“Essentially the work still pays rather well and consequences can still be evaded in a sufficient number of locations such that operators can continue their work,” he said.