Justice Department seizes $6 million as part of crackdown on hackers linked to Kaseya attack

The Justice Department on Monday announced that it had seized more than $6 million in ransomware victim payments as part of a sweeping effort by the Biden administration to go after and crack down on hackers involved in ransomware attacks against U.S. companies. 

As part of this effort, the Justice Department indicted Ukrainian national Yaroslav Vasinskyi for his part in carrying out the ransomware attack on IT company Kaseya in July through the use of REvil ransomware. An indictment was also announced against Russian national Yevgeniy Polyanin, from whom $6.1 million in victim ransom payments was seized. 

Vasinskyi, who was taken into custody in Poland in October and awaits extradition to the United States, faces charges including conspiracy to commit fraud and money laundering, among other charges. Vasinskyi faces up to 115 years in prison if convicted of all counts.

Polyanin remains at large abroad, but is charged with similar counts as Vasinskyi, and faces up to 145 years in prison if apprehended and convicted on all counts. 

Attorney General Merrick Garland announced the seizure of funds and the incidents during a press conference on Monday that also included FBI Director Christopher Wray and Deputy Attorney General Lisa Monaco. He emphasized that “this will not be the last time” that the U.S. reclaims ransomware victim payments. 

“The US government will continue to aggressively pursue the entire ransomware ecosystem and increase our nation’s resilience to cyber threats,” Garland told reporters. 

“The FBI has worked creatively and relentlessly to counter the criminal hackers behind Sodinokibi/REvil. Ransomware groups like them pose a serious, unacceptable threat to our safety and our economic well-being,” Wray said in a statement. “We will continue to broadly target their actors and facilitators, their infrastructure, and their money, wherever in the world those might be.”

President Biden on Monday applauded the actions taken by the Justice Department and other agencies to counter ransomware efforts. Biden pointed to his discussions on cracking down on hackers with Russian President Vladimir Putin earlier this year as an example of taking action when needed.

“When I met with President Putin in June, I made clear that the United States would take action to hold cybercriminals accountable,” Biden said in a statement. “That’s what we have done today. We are bringing the full strength of the federal government to disrupt malicious cyber activity and actors, bolster resilience at home, address the abuse of virtual currency to launder ransom payments, and leverage international cooperation to disrupt the ransomware ecosystem and address safe harbors for ransomware criminals.”

“While much work remains to be done, we have taken important steps to harden our critical infrastructure against cyberattacks, hold accountable those that threaten our security, and work together with our allies and partners around the world to disrupt ransomware networks — and my Administration will continue to use every tool available to us to protect the American people and American interests against cyber threats,” Biden said. 

The Kaseya ransomware attack just ahead of the July Fourth holiday weekend exposed not only Kasaya, but also up to 1,500 other companies to compromise. The REvil ransomware group, also responsible for the earlier attack on meat producer JBS USA, was also linked to the Kaseya attack, and last month was shut down by a coalition of the U.S. and international allies. 

This effort was the second time Kaseya had gone dark, with the group going offline shortly before a planned government operation to shut them down. The FBI temporarily withheld a decryption key from Kaseya and other affected companies due to the planned operation. 

The Justice Department efforts are part of a wider set of actions undertaken by the Biden administration on Monday. 

These also include the Treasury Department announcing sanctions against virtual currency exchange Chatex along with four other entities — IZIBITS OU, Chatextech SIA, and Hightrade Finance Ltd — for their alleged involvement in facilitating ransomware attack payments by victims. 

The Treasury Department levied sanctions on Vasinskyi and Polyanin and a company linked to Polyanin for their role in carrying out REvil-linked ransomware attacks, alleging that the group received more than $200 million in victim payments.

“Ransomware groups and criminal organizations have targeted American businesses and public institutions of all sizes and across sectors, seeking to undermine the backbone of our economy,” Deputy Secretary of the Treasury Wally Adeyemo said in a statement Monday. “We will continue to bring to bear all of the authorities at Treasury’s disposal to disrupt, deter, and prevent future threats to the economy of the United States. This is a top priority for the Biden Administration.”

In addition, the State Department announced a $10 million reward for information on individuals linked to leadership positions in the REvil cybercriminal group and a $5 million reward for information that could lead to the conviction of individuals seeking to participate in REvil-backed attacks. 

Officials from Europol, Eurojust, Romania, Canada, Poland, France, the Netherlands, Norway Germany, Switzerland, the United Kingdom and Australia provided assistance in the investigation into the hacking efforts, alongside private companies including Microsoft and McAfee. 

The case has been filed in the Northern District of Texas, where multiple companies victimized by the ransomware attack on Kaseya are located. 

“What you see here today is a united front, and our message should be clear: if you target victims here, we will target you, and the Department of Justice won’t give up until you are held accountable,” Deputy Attorney General Lisa Monaco told reporters Monday.

The coordinated announcement reflects the Biden administration’s ongoing efforts to crack down on cybercriminals, in particular those involved in ransomware attacks, which have spiked over the past year. 

The Justice Department set up a ransomware task force in April, along with announcing the seizure of the majority of the $4.4 million in Bitcoin paid by Colonial Pipeline in May to regain access to its systems as part of a ransomware attack that led to gas shortages in multiple states.

The Treasury Department previously announced sanctions against virtual currency exchange SUEX OTC, while the State Department last week announced a separate $10 million reward for information on hackers responsible for the Colonial Pipeline attack.

Updated at 3:32 p.m.