Joint Global Sodinokibi/REvil Ransomware Operation Leads To Key Arrests

November 9, 2021

By Deepti Govind

The Department of Justice (DOJ) announced on Monday, Nov. 8 recent actions taken against two foreign nationals charged with deploying Sodinokibi/REvil ransomware to attack businesses and government entities in the United States. On the same day, investing app Robinhood said it suffered a security breach last week that allowed hackers to access personal information (email addresses and full names) for roughly 7 million users. The hackers also demanded a ransom payment.

Yaroslav Vasinskyi, 22, a Ukrainian national was indicted on charges of conducting ransomware attacks against multiple victims, including the July 2021 attack against Kaseya, the DOJ statement says. The Justice Department also said it had seized $6.1 million in funds traceable to alleged ransom payments received by Yevgeniy Polyanin, 28, a Russian national also charged with conducting Sodinokibi/REvil ransomware attacks against several victims, including businesses and government entities in Texas on or about Aug. 16, 2019. Polyanin is believed to be abroad.

The organized crime group that used these malwares is known for breaking into business and private networks using a range of infiltration techniques, and then deploying ransomware against their victims, INTERPOL said in a statement published on the same day. The ransomware then encrypts files which are used to blackmail companies and people into paying huge ransoms, it added.

Vasinskyi was allegedly responsible for the July 2 ransomware attack against Kaseya. The DOJ statement says in the alleged attack against Kaseya, Vasinskyi caused the deployment of malicious Sodinokibi/REvil code throughout a Kaseya product. That, in turn, caused the Kaseya production functionality to deploy REvil ransomware to “endpoints” on Kaseya customer networks. After the remote access to Kaseya endpoints was established, the ransomware was executed on those computers, which resulted in the encryption of data on computers of organizations around the world that used Kaseya software.

On the same day, i.e. Nov. 8, Europol also announced that Romanian authorities arrested two individuals suspected of cyber-attacks deploying the Sodinokibi/REvil ransomware on Nov. 4. The press release adds that the two individuals are allegedly responsible for 5,000 infections, which in total pocketed half a million euros in ransom payments.

“Our message today is clear. The United States, together with our allies, will do everything in our power to identify the perpetrators of ransomware attacks, to bring them to justice, and to recover the funds they have stolen from their victims,” Attorney General Merrick B. Garland said in a statement about the arrests.

From 2019 onwards, several large international corporations have faced severe cyber attacks, which deployed the Sodinokibi/REvil ransomware. France, Germany, Romania, Europol and Eurojust reinforced the actions against this ransomware by setting up a Joint Investigation Team in May 2021.

Since February 2021, law enforcement authorities have arrested three other affiliates of Sodinokibi/REvil and two suspects connected to GandCrab as part of “Operation GoldDust,” Europol says. The Sodinokibi/REvil ransomware family is viewed as the successor of GandCrab, which was one of the world’s most prolific ransomware families with more than a million victims worldwide.

In February, April and October 2021, authorities in South Korea arrested three affiliates involved in the GandCrab and Sodinokibi/REvil ransomware families, which had more than 1,500 victims. On Nov. 4, Kuwaiti authorities arrested another GandGrab affiliate, meaning a total of seven suspects linked to the two ransomware families have been arrested since February 2021. They are suspected of attacking about 7,000 victims in total.

Europol does not name the two people who were arrested by Romanian authorities in its statement, but it says in the beginning of October, a Sodinokibi/REvil affiliate was arrested at the Polish border after an international arrest warrant was issued by the U.S. This individual, the statement says, was a Ukranian national suspected of perpetrating the Kaseya attack, which leaves no doubt that it is talking about Vasinskyi.

The DOJ in its statement quoted Federal Bureau of Investigation (FBI) director Christopher Wray as saying: “The arrest of Yaroslav Vasinskyi, the charges against Yevgeniy Polyanin and seizure of $6.1 million of his assets, and the arrests of two other Sodinokibi/REvil actors in Romania are the culmination of close collaboration with our international, U.S. government and especially our private sector partners.”

These arrests are some of the results of Operation GoldDust, the Europol statement says, which involved 17 countries including the United States, and the Europol, Eurojust and INTERPOL. The Europol-INTERPOL section of the operation was coordinated from INTERPOL’s Cyber Fusion Centre in Singapore. Research from Chainalysis found that criminals made $350 million in 2020 from ransomware payments, representing an increase of 311% in one year, according to the INTERPOL statement. Over the same period, the average ransom payment increased by 171% per Palo Alto Networks, the statement adds.

Bitdefender, in collaboration with law enforcement, made a tool available on the No More Ransom website that would help victims of Sodinokibi/REvil restore their files and recover from attacks made before July 2021, Europol says. Currently, No More Ransom has decryption tools for GandCrab (V1, V4 and V5 up to V5.2 versions) and for Sodinokibi/REvil. The Sodinokibi/REvil decryption tools helped more than 1400 companies decrypt their networks.