The U.S. Justice Department has charged a suspect from Ukraine and a Russian national over a July ransomware attack on an American company, according to indictments made in court filings on Monday, and has seized $6 million in ransom payments.
Yaroslav Vasinskyi, a Ukrainian national arrested in Poland last month, will face U.S. charges for deploying ransomware known as REvil, which has been used in hacks that have cost U.S. firms millions of dollars, the court filing showed.
Vasinskyi conducted a ransomware attack over the July 4 weekend on Florida-based software firm Kaseya that infected up to 1,500 businesses around the world, according to the charges filed in the U.S. District Court for the Northern District of Texas.
Vasinskyi and another alleged REvil operative, Russian national Yevgeniy Polyanin, were charged by the United States with conspiracy to commit fraud and conspiracy to commit money laundering, among other charges.
The Treasury Department also said the two operatives face sanctions for their role in ransomware incidents in the United States, as well as a virtual currency exchange called Chatex “for facilitating financial transactions for ransomware actors.”
Vasinskyi was responsible for the July 2021 ransomware activity against Kaseya, “which caused significant disruptions to the computer networks of Kaseya’s customer base,” the Treasury said.
One of the most widespread ransomware attacks came with the corruption of a widely used software tool made by Kaseya. Many Kaseya customers were infected at once with REvil encryption. Some paid ransoms, though a master decryption key was eventually recovered by authorities and distributed weeks later.
The Treasury said more than $200 million in ransom payments were paid in Bitcoin and Monero. It added that Latvian and Estonian government agencies were vital to the investigation.
Vasinskyi, 22, was being held in Poland pending U.S. extradition proceedings, while Polyanin, 28, remained at large.
Up to 1,500 businesses around the world have been affected by ransomware attacks centered on Kaseya, which provides software tools to IT outsourcing shops. Such companies typically handle back-office work for companies too small or modestly resourced to have their own tech departments.
The U.S. indictment of the Ukrainian hacker said he and other conspirators started deploying hacking software around April 2019 and “regularly” updated and refined it. The indictment also accused the hacker of laundering money obtained through a hacking extortion scheme.
Europol said earlier on Monday that Romanian authorities on Nov. 4 arrested two individuals suspected of cyber-attacks deploying the REvil ransomware. Since February, law enforcement authorities have arrested three other affiliates of REvil, Europol added.
Twelve suspects believed to have mounted ransomware attacks against companies or infrastructure in 71 countries were “targeted” in raids in Ukraine and Switzerland, Europol said on Friday.