U.S. Attorney General Merrick Garland is flanked by Deputy Attorney General Lisa Monaco and FBI Director Christopher Wray as he announces charges against a suspect from Ukraine and a Russian national over a July ransomware attack on an American company, during a news conference at the Justice Department in Washington, November 8, 2021.
Jonathan Ernst | Reuters
U.S. authorities are seeking the extradition of a Ukrainian man suspected of collecting $2.3 million in ransom after using REvil ransomware to attack about 2,500 targets this summer, the Department of Justice said Monday.
The man being sought by U.S. prosecutors, 22-year-old Yaroslav Vasinskyi, was arrested last month at the request of the U.S. government as he tried to enter Poland from Ukraine.
U.S. Attorney General Merrick Garland at a press conference said Vasinskyi was behind an early July attack against Miami-based software company, Kaseya. That attack in turn affected at least 1,500 businesses in the U.S. and other countries by spreading through Kaseya software.
In that attack, the targets were told to pay a total of $70 million to have their computers unlocked.
The DOJ on Monday also said that it had seized $6.1 million in alleged ransomeware payments received by Russian national Yevgeniy Polyanin, 28, who has been charged with conducting REvil ransomware attacks against victims who included businesses and government entities in Texas in August 2019.
Vasinskyi and Polyanin, who is believed to be abroad, are charged in separate indictments with conspiracy to commit fraud, computer crimes and conspiracy to commit money laundering.
Earlier Monday, the European law enforcement agency Europol announced that Romanian authorities have arrested two other people suspected of cyberattacks in 17 countries that used the REvil ransomware to lock affected computers.
The duo, who were not identified, are suspected of causing 5,000 infections with the ransomware, pocketing a half a million euros in ransom payments, according to Europol, which said the arrests were made Thursday.
Suebsiri Srithanyarat | EyeEm | Getty Images
The Russia-linked REvil Group, which also known as Sodinokibi, on July 2 launched an international ransomware attack.
About a month before that, the group attacked the world’s largest meatpacking company JBS, leading the firm to shut down operations, disrupting meat production in North America and Australia.
In mid-July, so-called dark web sites affiliated with REvil were shut down. American authorities refused to say whether the U.S. had taken action against the sites.
But a National Security Council official days before had told reporters that U.S. authorities expected to take action against ransomware groups soon.
“We’re not going to telegraph what those actions will be precisely,” that official said. “Some of them will be manifest and visible, some of them may not be. But we expect them to take place in the days and weeks ahead.”
Europol on Monday noted that since February, authorities have arrested three other affiliates of REvil.