DOJ Charges 2 People Connected to REvil/Sodinokibi Ransomware

November 11, 2021 - The US Department of Justice (DOJ) announced two indictments connected to REvil/Sodinokibi ransomware. The actions were part of the DOJ’s Ransomware and Digital Extortion Task Force, which was created to combat the growing number of ransomware attacks targeted at US critical infrastructure, healthcare, and other industries.

Ukranian national Yaroslav Vasinskyi, 22, was arrested and charged with allegedly deploying REvil/Sodinokibi ransomware against multiple victims, including the large-scale July 2021 attack on software management company Kaseya. The attack exposed hundreds of Kaseya’s customers to serious security risks.

The DOJ also charged Russian national Yevgeniy Polyanin, 28, in connection with REvil/Sodinokibi attacks, and seized $6.1 million in funds allegedly traced to ransom payments received by Polyanin.

Polyanin is believed to be abroad, and Vasinskyi was taken into custody in Poland on October 8.

The indictments claim that Polyanin and Vasinskyi accessed the internal computer networks of their victims and deployed ransomware to encrypt data on multiple victims. Both were charged in separate indictments with conspiracy to commit fraud. Multiple counts of damage to protected computers, and conspiracy to commit money laundering.

If convicted, Visnsky and Polyanin will face a maximum penalty of 115 and 145 years in prison, respectively.

REvil/Sodinokibi ransomware has been tied to some of the largest ransomware attacks on critical infrastructure, healthcare, and finance. McAfee’s quarterly cyber threat report, released in October, revealed that 73 percent of McAfee’s ransomware detections last quarter were credited to REvil/Sodinokibi.

REvil/Sodinokibi has disappeared and reemerged numerous times since its initial launch in 2018. In late October, a coalition of international governments hacked and forced REvil/Sodinokibi offline.

“Cybercrime is a serious threat to our country: to our personal safety, to the health of our economy, and to our national security,” Attorney General Merrick Garland said in the DOJ’s press release.

“Our message today is clear. The United States, together with our allies, will do everything in our power to identify the perpetrators of ransomware attacks, to bring them to justice, and to recover the funds they have stolen from their victims.”

HHS’s Health Sector Cybersecurity Coordination Center (HC3) issued a brief in August warning the healthcare sector of REvil/Sodinokibi’s risk to the industry. In June 2019, REvil targeted approximately 400 dental offices across the country, impacting patient care. In December 2019, the group targeted Complete Technology Solutions, an IT services company that has hundreds of customers in the healthcare sector.

“Ransomware can cripple a business in a matter of minutes. These two defendants deployed some of the internet’s most virulent code, authored by REvil, to hijack victim computers,” Acting U.S. Attorney for the Northern District of Texas Chad E. Meacham, explained in the statement.

“In a matter of months, the Justice Department identified the perpetrators, effected an arrest, and seized a significant sum of money. The Department will delve into the darkest corners of the internet and the furthest reaches of the globe to track down cyber criminals.”