REvil ransomware member extradited to U.S. to stand trial for Kaseya attack

The U.S. Department of Justice announced that alleged REvil ransomware affiliate, Yaroslav Vasinskyi, was extradited to the United States last week to stand trial for the Kaseya cyberattack.

Vasinkyi, a 22-year-old Ukrainian national, was arrested in November 2021 while entering Poland for his cybercrime activities as a REvil member.

Vasinkyi is believed to be a REvil ransomware affiliate tasked to breach corporate networks worldwide, steal unencrypted data, and then encrypt all of the devices on the network.

Shortly after Vasinkyi was arrested, the DOJ announced that he was responsible for the ransomware attack against Kaseya, a managed services provider, impacting thousands of companies worldwide.

“In the alleged attack against Kaseya, Vasinskyi caused the deployment of malicious Sodinokibi/REvil code throughout a Kaseya product that caused the Kaseya production functionality to deploy REvil ransomware to “endpoints” on Kaseya customer networks,” explained the U.S. DoJ announcement.

“After the remote access to Kaseya endpoints was established, the ransomware was executed on those computers, which resulted in the encryption of data on computers of organizations around the world that used Kaseya software.”

The REvil operation (aka Sodinokibi) demanded $70 million for a decryption key to decrypt all of Kaseya’s affected customers. However, the FBI received the decryption key after a law enforcement operation gained access to the ransomware operation’s servers.

Vasinskyi is believed to be one of REvil’s long-term affiliates, taking part in at least nine confirmed ransomware attacks against companies in the U.S.

The indictment that was unsealed following his arrest substantiates eleven counts, linking them to distinct attacks against North American firms.

The charges that Vasinskyi is facing now for his actions are the following:

• Conspiracy to commit fraud and related activity in connection with computers
• Intentional damage to protected computers
• Conspiracy to commit money laundering

If convicted for all counts, Vasinskyi will be sentenced to a total of 115 years in prison. Additionally, he will also forfeit all property and financial assets.

MSPs targeted by ransomware in the past

Managed Service Providers use specialized software to remotely manage their customers’ networks, including pushing out patches, performing remote support, and managing the Windows domain.

Since the launch of the GandCrab ransomware operation and its successor, REvil, an affiliate has consistently shown expertise in MSP platforms by using them to encrypt targeted MSPs’ customers.

This expertise has led to successful attacks against managed service providers using the specialized software they use, including the Kaseya, ConnectWise, and WebRoot MSP platforms.

The Kaseya attack used previously unknown zero-day vulnerabilities and intimate knowledge on how the systems work, possibly indicating that this same affiliate was behind this attack as well.

If Vasinskyi is this affiliate, his arrest, and potential imprisonment are a boon to the MSP industry, which now has one less threat actor to worry about.

REvil in limbo

The case of Vasinkyi is a success for the U.S. judiciary and law enforcement, especially considering that Ukraine currently has no extradition treaty with the United States.

However, he is only one of the numerous REvil affiliates and almost certainly not part of the core team of the notorious RaaS (ransomware as a service) gang.

On November 4, 2021, two suspected REvil affiliates were arrested in Romania and Kuwait in an international law enforcement action coordinated by Europol and Interpol.

On January 15, 2022, the Federal Security Service (FSB) announced the arrest of fourteen suspected members of REvil, yet the leading operators are still assumed to be free.

While the REvil ransomware operation is shut down, it would not be surprising to see its core members or affiliate rebrand as a new operation in the future.