3rd Party Risk Management , Business Continuity Management / Disaster Recovery , Cybercrime
US Nabs Alleged Ransomware Operators - One Tied to Kaseya
Suspects Deported From Ukraine and Canada to the USTwo suspected ransomware operators have been extradited to the United States from Ukraine and Canada, according to separate reports by the Department of Justice.
See Also: A Strategic Roadmap for Zero Trust Security Implementation
Ukrainian national Yaroslav Vasinskyi, 22, was allegedly part of the attack against Kaseya last July, a DOJ statement says. The attack infected about 1,500 customers of the Miami-based IT managed service software provider, and a ransom was demanded from each victim.
Separately, Canadian Sebastien Vachon-Desjardins, 34, has been accused of using a sophisticated form of ransomware, known as NetWalker, which targeted companies, municipalities, hospitals, law enforcement agencies, emergency services, school districts, colleges and universities in 2020, a separate DOJ statement says. Law enforcement officers have seized 719 bitcoins - valued at approximately $28,151,582 - from his house, the report says.
Kaseya Attack
Vasinskyi was arrested on Oct. 8, 2021, in Poland. He is alleged to have ties with Russian-based threat actors who accessed the internal computer networks of several victim companies to deploy the REvil ransomware, the DOJ statement says, citing an August 2021 indictment report.
Vasinskyi deployed malicious REvil code in Kaseya products, which, in turn, deployed the ransomware to endpoints on Kaseya customer networks, the DOJ says.
"After the remote access to Kaseya endpoints was established, the ransomware was executed on those computers, which resulted in the encryption of data on computers of organizations around the world that used Kaseya software," the DOJ says.
The FBI was able to obtain the decryption key for the strain of REvil that was used against Kaseya. While it is not known how exactly how the agency did so, the FBI has been criticized after reports emerged that it withheld the key for several weeks as part of a bigger effort to disrupt REvil.
In addition to deploying the ransomware, the suspect allegedly left electronic notes in the form of text files on the victims' computers, the DOJ says.
These notes, it adds, led to open-source privacy network Tor, with a link to a publicly accessible website address the victims could visit to recover their files. Upon visiting the site, however, victims were shown a ransom note and provided with a virtual currency address to pay the ransom.
"If a victim paid the ransom, the defendant provided the decryption key and the victim then was able to access their files. If a victim did not pay the ransom, the defendant typically posted the victim’s stolen data or claimed they sold the stolen data to third parties, and victims remained unable to access their files," the DOJ says.
Vasinskyi has been charged with conspiracy to commit fraud and related activity in connection with computers, damage to protected computers and conspiracy to commit money laundering. If convicted of all counts, he faces a total penalty of 115 years in prison, the DOJ statement says.
"He remained held by authorities pending proceedings in connection with his requested extradition to the United States, pursuant to the extradition treaty between the United States and the Republic of Poland. Vasinskyi was transported to Dallas by U.S. law enforcement authorities, where he arrived on March 3. He made his initial court appearance and was arraigned [Wednesday] in the Northern District of Texas," the DOJ said.
NetWalker Operator
Canadian law enforcement officers arrested Vachon-Desjardins in Gatineau, Quebec, on Jan. 27, 2021.
He has been charged with conspiracy to commit computer fraud and wire fraud, intentional damage to a protected computer and transmitting a demand in relation to damaging a protected computer arising from his alleged participation in the NetWalker ransomware attacks.
"From April through December 2020, [Vachon-Desjardins] conspired to and did intentionally damage a protected computer and transmit a ransom demand in connection with doing so. The indictment also alleges that the United States intends to forfeit more than $27 million, which is alleged to be traceable to proceeds of the offenses," the DOJ says.