REvil suspect allegedly behind Kaseya hack extradited to the US
The Ukrainian national was arrested in Poland last year, a few months after the Kaseya attack shut down hundreds of SMEs around the world
A Ukrainian man, said to be a key member of the REvil ransomware group and accused of conducting the Kaseya hack last year, has been extradited to the United States and made a court appearance on Wednesday.
Yaroslav Vasinskyi, a 22-year-old Ukrainian national, was apprehended in Poland on 8th October 2021 and held there until he was brought to Dallas, Texas, on the 3rd March.
He was brought before the Dallas federal court on Wednesday to face charges of computer hacking and fraud, among others. The indictment was unsealed on the same day.
Vasinskyi is accused of accessing multiple victim firms' internal networks. Once there, he allegedly installed the Sodinokibi/REvil ransomware to encrypt data.
According to the US Justice Department, Vasinskyi is responsible for the ransomware attack on Florida software provider Kaseya in July 2021. He allegedly compromised Kaseya systems and distributed REvil ransomware to its clients, with the assistance of accomplices.
The attack used a zero-day bug in Kaseya's VSA remote management tool to encrypt about 60 managed service providers and over 1,500 of their small- and medium-sized business customers in the massive supply chain strike, forcing many businesses to shut down for days.
The impact of the attack was felt around the world, particularly in countries like Sweden, where hundreds of supermarkets were forced to shut because their cash registers could not function.
The DoJ says REvil was closely engaged in the ransom discussions, and shared the proceeds with Vasinskyi and other affiliates.
REvil, also known as Sodinokibi or Sodin, has been one of the most notorious ransomware groups of 2020/21. It breaches companies networks using spam, exploits, exposed remote desktop services and compromised supply chains.
The gang primarily focuses on big firms, and avoids targeting consumers.
In June 2021, meat processing giant JBS paid REvil $11 million, after the gang locked its systems at the end of May.
Vasinskyi utilised a number of online monikers, including Robitnik, Profcomserv, and Yarik45, among others.
So far, there is no new information on Vasinskyi's co-accused: Russian native Yevgeniy Polyanin, 28, who is also alleged to be a member of REvil. The two were apprehended by Ukrainian authorities with direct assistance from law enforcement in the UK and the US.
"When last year I announced charges against members of the Sodinokibi/REvil ransomware group, I made clear that the Justice Department will spare no resource in identifying and bringing to justice transnational cybercriminals who target the American people," said Attorney General Merrick B. Garland.
"That is exactly what we have done."
Deputy Attorney General Lisa O. Monaco, said, "When we are attacked, we will work with our partners here and abroad to go after cybercriminals, wherever they may be."
Vasinskyi is facing several charges, including conspiracy to commit fraud and related activity in connection with computers, causing damage to protected computers, and conspiring to commit money laundering.
If he is found guilty on all fronts, he could face a maximum sentence of 115 years in jail.
This is not the first instance of alleged REvil members being arrested by law enforcement agencies.
In November, Romanian authorities arrested two individuals suspected of carrying out cyber attacks using Sodinokibi/REvil. Both suspects are allegedly responsible for 5,000 ransomware infections, and thought to have received nearly €500,000 in ransom payments.
In January, Russia's Federal Security Service (FSB) said it arrested 14 members of REvil, including a hacker that US officials say was behind May's Colonial Pipeline attack.
The arrests came about a month before Russia's invasion of Ukraine and heavy sanctioning by the West.