Law enforcement agencies around the world have made a series of arrests in the past five days that together constitute one of the largest law enforcement crackdowns on suspected ransomware hackers to date.
The U.S. on Monday charged a Ukrainian national arrested in Poland and a Russian national with working for REvil, a ransomware gang that has operated with near impunity since at least 2019. And Romania, South Korea and Kuwait have each made arrests since Thursday of people allegedly affiliated with REvil.
Some of REvil’s highest-profile hacks include JBS, a major American meat supplier; Quanta, a Taiwanese manufacturer that supplies Apple computers; and Kaseya, a software company. The Kaseya hack allowed REvil to gain access to hundreds of companies.
The U.S. and European Union announced seven arrests on Monday, with each person accused of deploying malicious software for REvil.
The U.S. is trying to put at least one of the accused REvil hackers in an American prison. The Treasury Department alleged Monday that Yaroslav Vasinskyi, a Ukrainian national arrested in Poland in October and wanted by the U.S., deployed REvil ransomware and sanctioned him. It also charged and sanctioned a Russian national, Yevgeniy Polyanin, for allegedly deploying REvil against unnamed American companies.
The Treasury Department also announced sanctions against a cryptocurrency exchange, Chatex, which allegedly helped hackers launder bitcoin payments from their victims into cash. Chatex didn’t immediately respond to a Telegram message requesting comment, and was down on Monday.
The U.S. also has recovered $6.1 million in extorted funds from REvil, Attorney General Merrick Garland said Monday at a news conference. The group has received more than $200 million total in its operations, he said.
Two other alleged REvil affiliates were arrested by Romanian authorities on Thursday, Europol announced Monday. Also Thursday, Kuwaiti law enforcement arrested another accused criminal hacker allegedly tied to REvil. And South Korea has quietly been arresting alleged REvil hackers based there: one each in February, April and October.
South Korea has seen far more REvil infections than any other country, said Brett Callow, a ransomware analyst at the cybersecurity company Emsisoft, primarily because hackers have deployed that ransomware software against thousands of individual homes.
While far from the only ransomware group that regularly terrorizes victims around the world, REvil had already found itself in U.S. crosshairs. In October, members complained that some of their systems had been hijacked, unaware they were under attack from U.S. Cyber Command, home of the country’s most effective offensive hacking operations, The Washington Post reported.
The coordinated international arrests come less than a month after the Biden administration hosted a first-of-its-kind international Zoom consortium on tackling ransomware. Poland, Romania, South Korea and Ukraine all attended. Russia, widely believed to be the world’s biggest haven for ransomware hackers, was not invited.
Alexandru Cosoi, senior director on the investigation and forensics unit at the cybersecurity company Bitdefender, which assisted multiple law enforcement agencies with the investigation, said the arrests were the culmination of years of work tracking REvil.
“We studied the criminals, we studied the affiliates, we studied the infrastructure, and every time we had something to provide to law enforcement, we provided it to the entire investigation group,” Cosoi said.
Notably, no Russian nationals were reported arrested. The U.S. has frosty relations with Russia and has struggled to convince it to prosecute cybercriminals who attack foreign entities from within its borders.
“It’s believed that the administrators, the developers, the people that actually made the virus — the backend platforms, the payment platforms, the infrastructure — these are Russian-speaking. They’re hosting in Russian. Their communications are in Russian,” Cosoi said.
Despite the scope of the arrests, they still represent only a fraction of the threat ransomware poses, said Joe Slowik, the senior manager of threat intelligence at the computer networking company Gigimon.
“We will likely observe short-term disruptions and friction, with some ‘lower level’ entities potentially exiting the game, without having a significant effect on long-term trends of ransomware activity,” Slowik said.
“Essentially the work still pays rather well and consequences can still be evaded in a sufficient number of locations such that operators can continue their work.”
Source: | This article originally belongs to Nbcnews.com
