The Department of Justice promises a whole of government approach to fighting ransomware groups no matter which country they operate from. Credit: Getty Images It didn’t take long for the White House’s ransomware initiative to be fruitful, as evidenced by the successful international law enforcement efforts targeting members of the Sodinokibi/REvil criminal enterprise. The Department of Justice (DoJ) unsealed two grand jury indictments on November 8, 2021, on individuals associated with the group – Yaroslave Vasinskyi and Yevgeniy Polyanin– both with Sodinokibi/REvil ransomware.US Attorney General Merrick Garland, accompanied by Deputy US Attorney General Lisa Monaco, FBI Director Christopher Wray, and Deputy Secretary of the US Treasury Wally Adeyemo, shared the news of the arrest of Vasinskyi by Polish authorities at the request of the United States. A DoJ press release highlighted the efforts of the Ransomware and Digital Extortion Task Force as being key. In addition, teams from within the private sector played a substantive role, includinf those from Microsoft, McAfee and BitDefender.Additionally, Polyanin, a Russian national still at large, saw $6,123,652.21 disappear from his FTX Trading Limited account on September 10, 2021, pursuant to a “seize property” warrant issued by Judge Rebecca Rutherford of the US District Court, North District of Texas. Vasinsky was lured to Poland from the Ukraine and arrested in Poland on October 8, 2021. He remains in custody and is now facing extradition by the US in accordance with the extradition treaty between the two countries. On November 4, 2021, two individuals (not yet identified) were arrested in Romania for their role in the REvil enterprise. “The arrest of Yaroslav Vasinskyi [October 5 in Poland], the charges against Yevgeniy Polyanin and seizure of $6.1 million of his assets, and the arrests of two other Sodinokibi/REvil actors in Romania are the culmination of close collaboration with our international, US government and especially our private sector partners,” said FBI Director Christopher Wray. “The FBI has worked creatively and relentlessly to counter the criminal hackers behind Sodinokibi/REvil. Ransomware groups like them pose a serious, unacceptable threat to our safety and our economic well-being. We will continue to broadly target their actors and facilitators, their infrastructure, and their money, wherever in the world those might be.”When asked what pretext was used to lure Vasinskiy to Poland, Wray wryly noted how individuals travel for many reasons and that “we” were glad Vasinskiy chose to travel from the Ukraine to Poland. While Garland, in response to the assistance being provided by Russia, declined to comment on ongoing law enforcement efforts, yet still managed to signal to Russia expectations with noting how the expectation of the United States is that any country, which a criminal is present, will assist the United States with their arrest and bringing the individual to justice to answer to their alleged crimes. Kaseya praised for engaging FBI earlyOf particular import to CISOs, was Wray’s laudatory comments on the handling of the REvil ransomware attack by victim, Kaseya when they were attacked on July 2. He applauded Kaseya for having engaged with law enforcement early which allowed the Kaseya and its customers to benefit from an all-government response to “put out the fire.” He also noted how these efforts resulted in the FBI being able to create a decryption key to unlock Kesaya’s customers’ data. This served to answer the question asked in late-September 2021 as to why the FBI held back REvil ransomware keys and with which international partners the FBI was engaged in the coordinated law enforcement action.Treasury Department issues advisories on virtual currency exchanges supporting criminal activityAdeyemo noted Treasury’s role in the “whole-of-government effort” against ransomware operators and virtual currency exchanges which support the cyber criminals, as including disruption to digital ecosystems. He also advised that Treasury was issuing a FinCEN Updates Ransomware Advisory, which designates the virtual currency exchange Chatex as being a part of the criminal support effort of the ransomware criminals. In addition to Chatex, Izibits OU, Chatextech SIA and Hightrade Finance ltd, were also designated for providing material support to Chatex’s criminal activity. The advisory notes how Latvia has suspended the operations of Chatextech. Estonia has revoked the license of Izibits OU.Rewards offered for arrest of DarkSide membersMeanwhile, the State Department has made available a $10 million reward for information leading to the identification or locations of any individual holding a key leadership position within the DarkSide ransomware organization and an additional $5 million for information leading to the arrest or conviction in any country of an individual participating in DarkSide ransomware. It is worth noting that the Department’s Transnational Organized Crime Rewards Program has paid out over $135 million in rewards.In closing, Garland called upon Congress to create a cyber reporting standard for industry to assist law enforcement in their efforts to thwart cybercrime. He, as did Monaco and Wray emphasized the role to be played by the private sector in the fight against cybercrime. It was repeatedly emphasized that early engagement with government by CISOs results in making available the resources of the “all-of-government” approach. Related content news Citrix quietly fixes a new critical vulnerability similar to Citrix Bleed Much similar to Citrix-Bleed, the information disclosure bug was identified within NetScaler devices configured as gateway or virtual servers. By Shweta Sharma May 07, 2024 3 mins Vulnerabilities feature What is IAM? Identity and access management explained IAM is a set of processes, policies, and tools for controlling user access to critical information within an organization. By David Strom May 07, 2024 12 mins Identity Management Solutions IT Leadership Security news Most interesting products to see at RSAC 2024 Tools, platforms, and services that the CSO team recommends 2024 RSA Conference attendees check out. By CSO Staff May 07, 2024 12 mins RSA Conference Security news Google launches Google Threat Intelligence at RSA Conference The new addition to Google Cloud Security is designed to inform security teams on approaches to protecting against external threats, managing attack surfaces, and mitigating digital risks. By Sascha Brodsky May 06, 2024 4 mins RSA Conference Cloud Security Security Software PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe