(Reuters) – The U.S. Justice Department has charged a suspect from Ukraine and a Russian national over a July ransomware attack on an American company, according to indictments made in court filings on Monday, and has seized $6 million in ransom payments.
The latest U.S. actions follow a slew of measures taken to combat ransomware that earlier this year hit big companies, including Colonial Pipeline, the largest fuel pipeline in the United States, and crippled fuel delivery for several days in the U.S. Southeast.
Yaroslav Vasinskyi, a Ukrainian national arrested in Poland last month, will face U.S. charges for deploying ransomware known as REvil, which has been used in hacks that have cost U.S. firms millions of dollars, the court filing showed.
REvil gained notoriety as the Russian group behind the ransomware attack against meatpacker JBS SA.
Vasinskyi conducted a ransomware attack over the July 4 weekend on Florida-based software firm Kaseya that infected up to 1,500 businesses around the world, according to the charges filed in the U.S. District Court for the Northern District of Texas.
Vasinskyi and another alleged REvil operative, Russian national Yevgeniy Polyanin, were charged by the United States with conspiracy to commit fraud and conspiracy to commit money laundering, among other charges.
The Treasury Department also said the two operatives face sanctions for their role in ransomware incidents in the United States, as well as a virtual currency exchange called Chatex “for facilitating financial transactions for ransomware actors.”
Vasinskyi’s alleged July 2021 hacking of Kaseya was one of the most widespread ransomware attacks and involved a widely used software tool made by the IT company. Many Kaseya customers were infected at once with REvil encryption. Some paid ransoms, though a master decryption key was eventually recovered by authorities and distributed weeks later.
Deputy Attorney General Lisa Monaco credited Kaseya for its help in the investigation. “We are here today because in their darkest hour, Kaseya made the right choice and they decided to work with the FBI… in doing so, we were able to identify and help many victims of this attack.”
The Treasury said more than $200 million in ransom payments were paid in Bitcoin and Monero. It added that Latvian and Estonian government agencies were vital to the investigation.
Vasinskyi, 22, was being held in Poland pending U.S. extradition proceedings, while Polyanin, 28, remained at large.
Reuters could not reach any legal representatives for the two, and no lawyers were listed on the indictments.
Up to 1,500 businesses around the world have been affected by ransomware attacks centered on Kaseya. Such companies typically handle back-office work for companies too small or modestly resourced to have their own tech departments.
The U.S. indictment of the Ukrainian hacker said he and other conspirators started deploying hacking software around April 2019 and “regularly” updated and refined it. The indictment also accused the hacker of laundering money obtained through a hacking extortion scheme.
Europol said earlier on Monday that Romanian authorities on Nov. 4 arrested two individuals suspected of cyber-attacks deploying the REvil ransomware. Since February, law enforcement authorities have arrested three other affiliates of REvil, Europol added.
Twelve suspects believed to have mounted ransomware attacks against companies or infrastructure in 71 countries were “targeted” in raids in Ukraine and Switzerland, Europol said on Friday.
(Reporting by Mark Hosenball, Diane Bartz and Susan Heavey in Washington and Kanishka Singh in Bengaluru; Editing by Dan Grebler)