Earlier this summer, multinational information technology and software provider Kaseya Ltd. fell victim to a major data hack, a strike that affected nearly 60 firms and countless unsuspecting victims spanning across six European nations. The hack, the latest in a growing trend targeting digital supply chains, demonstrated just how quickly efforts of this variety can impact a multitude of industries found both domestically and across international borders. Now in a joint effort, law enforcement agencies in the U.S. and Europe are finally taking action against the group suspected to be behind this ransomware attack.
Widely identified as one of the top national security threats facing our country today, ransomware is grossly defined as a form of malicious software (i.e. malware) designed to block access to a computer system or data, generally by encrypting data or programs on IT systems to extort ransom payments from victims in exchange for decrypting the information and restoring victims’ access to their systems or the data itself. When Kaseya Ltd. was infiltrated in June, the hackers behind these exploits were able to successfully acquire the personal identification and financial information of nearly 1,500 customers – a significant portion of which were in fact small and medium-sized business owners. The perpetrators then attempted to extort Kaseya’s customer base for sums ranging anywhere from $50,000 to $5 million (USD), this according to federal investigators. The hacking group behind this attack is known notoriously as “REvil”, a Russia-based private ransomware-as-a-service (RaaS) organization formed in 2018. Essentially, this group sells ransomware software and services as products and is structured as a legitimate business – it’s lone difference however being its services are aimed directly at/for criminals lurking across the dark web
The fact that this malicious group originated in Russia comes as little surprise to financial analysts. Many in the international community, including United States President Joe Biden, have voiced concerns over the Kremlin turning something of a blind eye to hacking exploits originating in the region, specifically when the targets are foreign enterprises. Some have even speculated that certain hackers are operating as state-sponsored actors on behalf of the Russian government. Allan Liska, senior solutions architect at the cyber firm Recorded Future, believes just that. Speaking on the hack, Liska noted, “Finding a vulnerability [to exploit] is surprisingly hard,” and that attacks of this variety are “almost always [done] by nation-state actors, because those are the folks that are willing to spend the money.” He claims that his firm has continued to track activity of this nature, with prices for certain attacks (often depending on the stature of the target) reachin price points as high as multiple millions of dollars for a single move. “It seems like a steep price, but if you can get a $30 million ransom, it basically pays for itself in one attack,” he concluded.2
In this case, the criminals behind the REvil attack on Kaseya pocketed only $580,000, with the suspects linked to over 5,000 computer infections altogether. However it does not appear they got away with their crimes cleanly. Earlier this week, the Justice Department announced actions taken against two foreign nationals who are believed to have orchestrated the ransomware attack on the aforementioned efirm. An indictment unsealed on November 8th charges Yaroslav Vasinskyi, a Ukrainian national, with conducting ransomware attacks against multiple victims, including the July 2021 attack against Kaseya, along with the seizure of $6.1 million in funds traceable to alleged ransom payments received by Russian national Yevgeniy Polyanin, who is also charged with conducting Sodinokibi/REvil ransomware attacks against multiple victims.3 The indictments revealed that the men reportedly accessed the internal computer networks of their victims before deploying the REvil ransomware in an effort to encrypt this private data. A Department of Justice press release detailed the inner workings of these exploits. The address read:
“Through the deployment of Sodinokibi/REvil ransomware, the defendants allegedly left electronic notes in the form of a text file on the victims’ computers. The notes included a web address leading to an open-source privacy network known as Tor, as well as the link to a publicly accessible website address the victims could visit to recover their files. Upon visiting either website, victims were given a ransom demand and provided a virtual currency address to use to pay the ransom.”3
Only when the ransom was paid was a decryption key provided by these individuals. If the ransom was not paid however, the defendants posted their stolen data on various online platforms or sold the information to third parties, all while the victims were rendered helpless to recover their files. Vasinskyi, is facing several counts of hacking-related charges in addition to conspiracy to commit money laundering, with the U.S. currently seeking his extradition from Poland. Investigators are hoping that the men will be quick to give up their comrades in exchange for lighter sentences. In addition to the arrest, the dark web space that REvil was using to provide their services was also shut down, a step in the right direction for international financial authorities in the midst of a global crackdown on this ill-natured activity.
This attempt to take down REvil represents a larger effort by the Biden administration to target ransomware hackers through increased international cooperation. In this case, increasing information sharing practices proved to be rather successful, as a total of 17 countries were involved in the investigation of REvil, this according to the European Union Agency for Law Enforcement Cooperation (Europol). Of the indictments and the arrest of Vasinskyi, U.S. Attorney General Merrick Garland stated this “demonstrates how quickly we will act alongside our international partners to identify, locate and apprehend alleged cybercriminals, no matter where they are located.”1
Citations
- McMillan, Robert, and Dustin Volz. “U.S. and Europe Crack down on Revil Ransomware Group.” The Wall Street Journal, Dow Jones & Company, 8 Nov. 2021.
- Uberti, David. “Kaseya Hack Ripples across Europe as Ransomware Boom Escalates.” The Wall Street Journal, Dow Jones & Company, 9 July 2021.
- “Ukrainian Arrested and Charged with Ransomware Attack on Kaseya.” The United States Department of Justice, 8 Nov. 2021.