REvil Ransom Arrest, $6M Seizure, and $10M Reward – Krebs on Safety

REvil Ransom Arrest, $6M Seizure, and $10M Reward – Krebs on Security

The U.S. Division of Justice right this moment introduced the arrest of Ukrainian man accused of deploying ransomware on behalf of the REvil ransomware gang, a Russian-speaking cybercriminal collective that has extorted a whole bunch of tens of millions from sufferer organizations. The DOJ additionally mentioned it had seized $6.1 million in cryptocurrency despatched to a different REvil affiliate, and that the U.S. Division of State is now providing as much as $10 million for the title or location any key REvil leaders, and as much as $5 million for info on REvil associates.

If it sounds unlikely {that a} regular Web consumer may make tens of millions of {dollars} unmasking the identities of REvil gang members, take coronary heart and think about that the 2 males indicted as half this regulation enforcement motion don’t seem to have completed a lot to separate their cybercriminal identities from their real-life selves.

Exhibit #1: Yaroslav Vasinskyi, the 22-year-old Ukrainian nationwide accused of being REvil Affiliate #22. Vasinskyi was arrested Oct. 8 in Poland, which maintains an extradition treaty with america. Prosecutors say Vasinskyi was concerned in plenty of REvil ransomware assaults, together with the July 2021 assault towards Kaseya, Miami-based firm whose merchandise assist system directors handle massive networks remotely.

Yaroslav Vasinksyi’s Vkontakte profile reads “In the event that they inform you nasty issues about me, imagine each phrase.”

In keeping with his indictment (PDF), Vasinskyi used a wide range of hacker handles, together with “Profcomserv” — the nickname behind a web based service that floods cellphone numbers with junk requires a payment. Prosecutors say Vasinskyi additionally used the monikers  “Yarik45,” and “Yaroslav2468.”

These final two nicknames correspond to accounts on a number of prime cybercrime boards means again in 2013, the place a consumer named “Yaroslav2468” registered utilizing the e-mail tackle

That e-mail tackle was used to register an account at Vkontakte (the Russian model of Fb/Meta) underneath the profile title of “Yaroslav ‘promote the blood of css’ Vasinskyi.” Vasinskyi’s Vkontakte profile says his present metropolis as of Oct. 3 was Lublin, Poland. Maybe tauntingly, Vasinskyi’s profile web page additionally lists the FBI’s 1-800 tip line as his contact cellphone quantity. He’s now in custody in Poland, awaiting extradition to america.

Exhibit #2: Yevgeniy Igorevich Polyanin, the 28-year-old Russian nationwide who’s alleged to be REvil Affiliate #23. The DOJ mentioned it seized $6.1 million in funds traceable to alleged ransom funds obtained by Polyanin, and that the defendant had been concerned in REvil ransomware assaults on a number of U.S. sufferer organizations.

The FBI’s wished poster for Polyanin.

Polyanin’s indictment (PDF) says he additionally favored quite a few hacker handles, together with LK4D4, Damnating, Damn2life, Noolleds, and Antunpitre. A few of these nicknames return greater than a decade on Russian cybercrime boards, a lot of which have been hacked and relieved of their consumer databases through the years.

Amongst these was carder[.]su, and that discussion board’s database says a consumer by the title “Damnating” registered with the discussion board in 2008 utilizing the e-mail tackle Certain sufficient, there’s a Vkontakte profile tied to that e-mail tackle underneath the title “Yevgeniy ‘rattling’ Polyanin” from Barnaul, a metropolis within the southern Siberian area of Russia.

The obvious lack of any actual operational safety by both of the accused right here is so widespread that it’s hardly exceptional. As exhibited by numerous investigations in my Breadcrumbs story sequence, I’ve discovered that if a cybercriminal is lively on a number of boards over greater than 10 years, this can be very doubtless that particular person has made a number of errors that make it comparatively straightforward to attach his discussion board persona to his real-life identification.

As I defined earlier this yr in The Wages of Password Re-use: Your Cash or Your Life, it’s doable in lots of circumstances to make that connection thanks to 2 elements. The most important is password re-use by cybercriminals (sure, crooks are lazy, too). The opposite is that cybercriminal boards, providers, and so forth. get hacked nearly as a lot as everybody else on the Web, and once they do their consumer databases can reveal some very priceless secrets and techniques and connections.

Along side right this moment’s REvil motion, the U.S. Division of State mentioned it was providing a reward of as much as $10 million for info resulting in the identification or location of any particular person holding a key management place within the REvil ransomware group. The division mentioned it was additionally providing a reward of as much as $5 million for info resulting in the arrest and/or conviction in any nation of any particular person conspiring to take part in or making an attempt to take part in a REvil ransomware incident.

I actually like this bounty provide and I hope we see extra similar to it for different ransomware teams. As a result of as we are able to see from the prosecutions of each Polyanin and Vasinskyi a variety of these guys merely aren’t too laborious to search out. Let the video games start.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts