Ukrainian indicted in US for Kaseya ransomware attack

A 22-year-old Ukrainian arrested in Poland has been indicted in the United States as part of a global operation against ransomware attacks, including the high-profile July hack of IT software company Kaseya, officials said Monday.

Yaroslav Vasinskyi, who was detained in Poland on October 8, was the most prominent of several people whose arrests were announced on Monday by US and European authorities.

The arrests were linked to the Russian-based hacker group REvil, also known as Sodinokibi, and the ransomware group GandCrab.

Interpol said the four-year operation dubbed "Quicksand" or "GoldDust" was carried out by 19 law enforcement agencies in 17 countries.

It said those arrested "are suspected of perpetrating tens of thousands of ransomware infections and demanding more than 200 million Euros ($230 million US) in ransom."

Vasinskyi's indictment for fraud and money laundering was announced by the US Justice Department, which also announced the seizure of $6.1 million in funds from alleged ransom payments made to Yevgyeniy Polyanin, a Russian national.

Polyanin, 28, is accused of conducting REvil/Sodinokibi ransomware attacks against businesses and government entities in Texas in August 2019.

Polyanin, who has been indicted in Texas for conspiracy to commit fraud and money laundering, is believed to be in Russia, possibly in Barnaul, according to the FBI.

The EU police agency Europol said that in addition to Vasinskyi, two people were arrested in Romania, one in Kuwait and three in South Korea.

US Attorney General Merrick Garland said the United States is seeking Vasinskyi's extradition from Poland.

"Cybercrime is a serious threat to our country: to our personal safety, to the health of our economy, and to our national security," Garland told reporters.

"Our message today is clear. The United States, together with our allies, will do everything in our power to identify the perpetrators of ransomware attacks, to bring them to justice, and to recover the funds they have stolen from their victims."

Ransomware is an increasingly lucrative form of digital hostage-taking in which hackers encrypt victims' data and then demand money for restored access.

According to the US indictments, Vasinskyi and Polyanin deployed REvil/Sodinokibi ransomware to encrypt data on the computers of victim companies.

Vasinskyi was allegedly responsible for the July ransomware attack against Kaseya, a company that provides network and infrastructure services to thousands of small businesses around the world.

Malicious REvil/Sodinokibi code caused the encryption of data on computers of many users of Kaseya software.

Victims were told to pay a ransom in virtual currency. If they paid the ransom, they were given a decryption key and were able to access their files.

If they refused, the hackers threatened to publicly release the stolen data, sell it to third parties and continue to deny access.

Vasinskyi and Polyanin, if convicted of fraud and other charges, could face more than 100 years in prison.

President Joe Biden welcomed the operation and said cybersecurity was a "core priority" of his administration.

"When I met with President (Vladimir) Putin in June, I made clear that the United States would take action to hold cybercriminals accountable," Biden said in a statement. "That's what we have done today."

The Department of State said meanwhile it was offering a reward of up to $10 million for information leading to the identification or location of leaders of the REvil/Sodinokibi organised crime group.

And the US Treasury Department announced that it was taking actions against Chatex, a virtual currency exchange accused of laundering the proceeds of ransomware.

The department said ransomware payments in the United States reached $590 million in the first half of 2021, compared to a total of $416 million in 2020.