After an international law enforcement operation took its infrastructure offline in October, there has been widespread speculation that the REvil ransomware group may be done for good. The likelihood of that increased with last week’s apprehension of a Ukrainian man working as an affiliate for the group, along with the seizure of $6.1 million in cryptocurrency that was earmarked for another affiliate.
REvil had already been struggling to recruit new affiliates after temporarily going dark in the wake of the high-profile attacks on Kaseya and Colonial Pipeline. The criminal underworld reportedly had deep concerns about to what degree the group has been penetrated by law enforcement agencies even before this arrest. The US Department of Justice (DOJ) not only appears to have leads on REvil ransomware customers, but is also now offering $10 million in rewards for the names and locations of the group’s leaders and $5 million for further information about its affiliates.
REvil ransomware group hounded even after disbanding
US law enforcement agencies reportedly had some presence in REvil’s servers since sometime shortly after the Kaseya attack over the summer, a fact that actually caused them some controversy given slow distribution of decryption tools to victims.
It was unclear if these agencies had any leads on the core REvil ransomware team, a group that takes great pains to hide its identity even as it publicly interacts on dark web forums. It would appear that they did not, but they did track down some of the group’s “ransomware-as-a-service” affiliates.
The first man taken into custody, 22 year old Yaroslav Vasinskyi, was a Ukrainian national residing in Poland. The young cyber criminal was also not quite as fastidious about hiding his connections to the hacking underworld as the core REvil ransomware group tends to be. Authorities say that Vasinskyi used a variety of handles that were tied together that incorporated elements of his real name, and one handle directly referenced the ProfComServ distributed denial of service (DDoS) network. He apparently used an email address registered with a cyber crime forum to open a social media account with Vkontakte, which contained his real name and city of residence in Poland. Just to remove any doubt about his involvement in online crime, Vasinskyi listed the FBI tip line as his contact number on his Vkontakte profile. Court documents implicate him in over 2,500 attacks involving REvil ransomware.
The second person named, a Yevgeniy Igorevich Polyanin of Russia, was apparently less public about his shady activities but was tracked down via $6 million in ransomware payments that he had received. Polyanin also used a variety of email addresses registered to cyber crime forums, and while these were more anonymized one was traced back to his personal profile on Vkontakte.
Vasinskyi was named as a participant in the Kaseya attacks, and the US is seeking to extradite him from Poland to face charges. Polyanin has been indicted, but appears to presently be beyond reach of law enforcement; he was linked to over 3,000 attacks including those that hit municipalities in Texas in 2019. The $6 million that Polyanin was holding was recovered and presumably will be returned to victims at some point, though it is still not clear exactly which of the REvil ransomware attacks these payments came from.
Five REvil affiliates have also been arrested in Romania to date; three earlier this year, and two more that were picked up on November 4 with the assistance of Europol. Together these affiliates are thought to have been responsible for over 5,000 REvil ransomware attacks and netted a little over half a million Euros in payments.
International law enforcement alliance aggressively pursues major ransomware gangs
The REvil ransomware arrests are the fruits of a broader international law enforcement campaign called Operation GoldDust, which involves 17 countries along with Europol and Interpol. Investigators may have at least some line on the core members of the REvil ransomware gang as the operation has snatched up several former affiliates and users of GandCrab, an older form of malware that REvil is thought to have developed from.
But, as has been typical for years now, investigations tend to run into a wall when a suspect is in Russia. The Biden administration formally asked Vladimir Putin’s government to take action against criminal hackers based out of the territory, and there is some speculation that Russia may have responded by putting some pressure on big ransomware gangs that attack critical infrastructure and other disruptive targets overseas. The Russian government has generally had a hands-off approach with cyber criminals that do not attack domestic or allied targets, however, and does not have an extradition treaty with the US.
Nevertheless, Chris Morgan, Senior Cyber Threat Intelligence Analyst at Digital Shadows, sees the success of this operation having a knock-on effect in the broader global project of getting ransomware under control: “While the numbers of arrests and funds seized are relatively low when considering the numbers of attacks occurring each week, it does represent a significant step in the right direction and a playbook that law enforcement can continue to follow. The tempo of law enforcement operations may already be having an impact on the confidence of ransomware groups; in the past week the BlackMatter ransomware group reportedly retired their service, citing pressure from authorities.”
As a longer-term solution, Doug Britton, CEO of Haystack Solutions, suggests that the new Cybersecurity Maturity Model Certification (CMMC) will put pressure on private security as law enforcement ramps up its ability to pursue cyber criminals: “CMMC is a positive approach to pushing the industry to adopt policies and procedures that help harden networks, but it is nearly impossible to suggest CMMC will prevent attacks … We have the tools and technology to find talent even in a tight labor market. We need to continue to invest in cyber professionals to ensure models like CMMC are thoughtfully implemented to the fullest extent.”
Bill Lawrence, CISO of SecurityGate, agrees: “The re-work of the CMMC framework should make it more accessible as well as strengthen its underpinnings by aligning it directly to NIST SP 800-171 and -172. Of course, risk assessments using any well-constructed framework are only as good as the people who use them, the resources they have, and the thoroughness of execution.”