Federal prosecutors have extradited two suspected ransomware operators, including a man they believe was responsible for a breach that infected as many as 1,500 organizations at once, making it one of the worst supply chain attacks ever.
Yaroslav Vasinskyi, 22, was arrested last August while entering Poland from his native Ukraine. This week he was extradited to the US, where he was charged with a maximum sentence of 115 years in prison. Vasinskyi arrived in Dallas, Texas on March 3 and was arraigned Wednesday.
First up: Sodinokibi/REvil
In an indictment, prosecutors said Vasinskyi is responsible for the July 2, 2021 attack that first hit a Kaseya vendor of remote management software and then infected the infrastructure of 800 to 1,500 organizations that relied on the Kaseya software. Sodinokibi/REvil, the ransomware group Vasinskyi reportedly worked for or collaborated with, demanded $70 million for a universal decryptor that would restore all victims’ data.
The tactics, techniques and procedures used in the attack on Kaseya’s supply chain were impressive. The attack began by exploiting a zero-day vulnerability in Kaseya’s VSA remote management service, which the company says is used by 35,000 customers. The group stole a legitimate software signing certificate and used it to digitally sign the malware, making it easier to suppress security warnings that would otherwise have appeared during installation.
To add even more stealth, the attackers used a technique called DLL side-loading, which places a counterfeit malicious DLL file in a WinSxS directory of Windows so that the operating system loads the spoof instead of the legitimate file. The hackers in the Kaseya campaign dropped an outdated file version that remained vulnerable to sideloading “msmpeng.exe”, the file for the Windows Defender executable.
Federal prosecutors allege that Vasinskyi caused the deployment of malicious Sodinokibi/REvil code by Kaseya’s software build system to further deploy REvil ransomware to endpoints on customer networks. Vasinskyi is charged with conspiracy to commit fraud and computer related activities, damage to secure computers and conspiracy to launder money.
Do you remember NetWalker?
On Thursday, US prosecutors reported a second ransomware-related rendition against a Canadian man accused of participating in dozens of attacks that pushed the NetWalker ransomware.
Sebastien Vachon-Desjardins, 34, of Gatineau, Quebec, Canada, was arrested in January 2021 on charges of receiving more than $27 million in revenue generated by NetWalker. The Justice Department said the defendant has now been transferred to the US and his case is being heard by the FBI’s field office in Tampa.
NetWalker was a sophisticated and prolific group operating under a RaaS shorthand for “ransomware as a service” model, meaning that core members recruited affiliates to use the NetWalker malware to infect targets. The affiliates would then split all the revenue generated with the organization. A blockchain analysis found that the group extorted a total of $25 million between March and July 2020. Victims included Trinity Metro, a Texas transportation company that offers 8 million passenger trips annually, and the University of California San Francisco, which ended up paying a $1.14 million ransom.
NetWalker was a human-operated operation, meaning operators often spent days, weeks, or even months trying to gain a foothold in an intended organization. In January 2021, authorities in Bulgaria seized a website on the darknet that had been used by NetWalker ransomware affiliates to communicate with victims. The seizure was part of a coordinated international crackdown against NetWalker.
Vachon-Desjardins is charged with conspiracy to commit computer fraud and telefraud, willful damage to a protected computer and sending a claim related to damaging a protected computer. Blockchain analytics firm said transactions it tracked show that the Canadian man also helped push the RaaS tribes Sodinokibi, Suncrypt and Ragnarlocker.
This week’s renditions are part of a series of successes law enforcement agencies have had in recent weeks. Last June, the FBI said it had seized $2.3 million paid to the ransomware attackers who crippled Colonial Pipeline’s network a month earlier and resolved disruptions to gasoline and jet fuel supplies along the East Coast. Around the same time, the website of Darkside, the ransomware group behind the break-in, also went down.