Crackdown on REvil Ransomware Operators Results in Multiple Arrests, Recovery of $6 Million Extorted from Victims

Actions taken against REvil affiliates ended with one arrest and the recovery of $6 million extorted from ransomware victims, the US Justice Department announced today. Romanian authorities have also detained two affiliates, bringing the number of REvil arrests to seven.

Yaroslav Vasinskyi, 22, a Ukrainian national, has been charged with conducting ransomware attacks against multiple victims, including the widely publicized July attack against several US companies.

Authorities also seized $6.1 million in funds traceable to alleged ransom payments received by Yevgeniy Polyanin, 28, a Russian national, who is also charged with conducting REvil ransomware attacks against multiple victims.

“Through the deployment of Sodinokibi/REvil ransomware, the defendants allegedly left electronic notes in the form of a text file on the victims’ computers,” according to the US Department of Justice. “The notes included a web address leading to an open-source privacy network known as Tor, as well as the link to a publicly accessible website address the victims could visit to recover their files. Upon visiting either website, victims were given a ransom demand and provided a virtual currency address to use to pay the ransom. If a victim paid the ransom amount, the defendants provided the decryption key, and the victims then were able to access their files. If a victim did not pay the ransom, the defendants typically posted the victims’ stolen data or claimed they sold the stolen data to third parties, and victims were unable to access their files.”

The $6.1 million seized from Polyanin is allegedly traceable to ransomware attacks and money laundering committed using Sodinokibi/REvil ransomware.

The two threat actors are charged in separate indictments with conspiracy to commit fraud and related activity in connection with computers, multiple counts of damage to protected computers, and conspiracy to commit money laundering. They face more than a century in prison if convicted of all counts.

Vasinskyi was taken into custody in Poland where he is held by authorities pending his requested extradition to the United States. In parallel with this arrest, interviews and searches were carried out in multiple countries that ended up with several other REvil affiliates getting detained.

Romanian authorities have also arrested two affiliates of the REvil ransomware operation responsible for 5,000 infections. Since February 2021, law enforcement officers have arrested three other affiliates of REvil, plus two GandCrab suspects, bringing the total of arrests to seven.