COMING TO AMERICA —

Feds extradite ransomware suspects from 2 prolific gangs in a single week

Man arriving from Ukraine accused of causing Kaseya supply chain attack.

Stylized illustration of binary code.

Federal prosecutors extradited two suspected ransomware operators, including a man they said was responsible for an intrusion that infected as many as 1,500 organizations in a single stroke, making it one of the worst supply chain attacks ever.

Yaroslav Vasinskyi, 22, was arrested last August as he crossed from his native country of Ukraine into Poland. This week, he was extradited to the US to face charges that carry a maximum penalty of 115 years in prison. Vasinskyi arrived in Dallas, Texas, on March 3 and was arraigned on Wednesday.

First up: Sodinokibi/REvil

In an indictment, prosecutors said that Vasinskyi is responsible for the July 2, 2021, attack that first struck remote-management-software seller Kaseya and then caused its infrastructure to infect 800 to 1,500 organizations that relied on the Kaseya software. Sodinokibi/REvil, the ransomware group Vasinskyi allegedly worked for or partnered with, demanded $70 million for a universal decryptor that would restore all victims’ data.

The tactics, techniques, and procedures used in the Kaseya supply chain attack were impressive. The attack started by exploiting a zero-day vulnerability in Kaseya’s VSA remote management service, which the company says is used by 35,000 customers. The group stole a legitimate software-signing certificate and used it to digitally sign the malware. This allowed the group to suppress security warnings that would have otherwise appeared when the malware was being installed.

To add further stealth, the attackers used a technique called DLL side-loading, which places a spoofed malicious DLL file in a Windows’ WinSxS directory so that the operating system loads the spoof instead of the legitimate file. The hackers in the Kaseya campaign dropped an outdated file version that remained vulnerable to the side-loading of “msmpeng.exe,” which is the file for the Windows Defender executable.

Federal prosecutors allege that Vasinskyi caused the deployment of malicious Sodinokibi/REvil code throughout Kaseya’s software build system to further deploy REvil ransomware to endpoints on customer networks. Vasinskyi is charged with conspiracy to commit fraud and related activity in connection with computers, damage to protected computers, and conspiracy to commit money laundering.

Remember NetWalker?

On Thursday, US prosecutors reported a second ransomware-related extradition, this one against a Canadian man accused of participating in dozens of attacks pushing the NetWalker ransomware.

Sebastien Vachon-Desjardins, 34, of Gatineau, Quebec, Canada, was arrested in January 2021 on charges that he received more than $27 million in revenue generated by NetWalker. The Justice Department said the defendant has now been transferred to the US, and his case is being handled by the FBI’s field office in Tampa, Florida.

NetWalker was an advanced and prolific group that operated under a RaaS—short for "ransomware as a service"—model, meaning core members recruited affiliates to use the NetWalker malware to infect targets. The affiliates would then split any revenue generated with the organization. A blockchain analysis revealed that between March and July of 2020, the group extorted a total of $25 million. Victims included Trinity Metro, a transit agency in Texas that provides 8 million passenger trips annually, and the University of California, San Francisco, which ended up paying a $1.14 million ransom.

NetWalker was a human-operated operation, meaning operators often spent days, weeks, or even months establishing a foothold inside a targeted organization. In January 2021, authorities in Bulgaria seized a website on the darknet that NetWalker ransomware affiliates had used to communicate with victims. The seizure was part of a coordinated international crackdown on NetWalker.

Vachon-Desjardins is charged with conspiracy to commit computer fraud and wire fraud, intentional damage to a protected computer, and transmitting a demand in relation to damaging a protected computer. Blockchain analysis firm Chainalysis said transactions it tracked show that the Canadian man also helped push RaaS strains Sodinokibi, Suncrypt, and Ragnarlocker.

This week’s extraditions are part of a string of successes that law enforcement authorities have had in recent weeks. Last June, the FBI said it seized $2.3 million paid to the ransomware attackers who paralyzed the network of Colonial Pipeline a month earlier and touched off gasoline and jet fuel supply disruptions up and down the East Coast. The website for Darkside, the ransomware group behind the intrusion, also went down around the same time.

Channel Ars Technica