(Bloomberg) -- After vowing for months to crack down on ransomware, the Biden administration and allied countries unleashed a string of actions Monday against one of the most prolific hacking groups and also issued sanctions against cryptocurrency entities that allegedly enable such attacks.
European authorities on Monday morning announced that they had arrested five people allegedly associated with the Russia-linked REvil ransomware group, which was accused of being behind attacks earlier this year on the meatpacker JBS SA and others. In the U.S., a Ukraininan national, Yaroslav Vasinkyi was indicted for his involvement in REvil ransomware attacks, according to court documents unsealed Monday in Dallas.
In Washington, the Treasury Department announced actions intended to disrupt ransomware attacks and the virtual currency exchanges that launder the illicit proceeds. The State Department offered a reward of as much as $10 million for information leading to the identification or location of REvil’s leaders and as much as $5 million for information leading to the arrest and/or conviction of individuals who participated in attacks involving REvil’s malware.
“REvil,” short for “Ransomware-Evil,” is known as one of the world’s most infamous ransomware gangs. The group is accused of staging several attacks this year against major companies and organizations, including Brazilian meat supplier JBS and Miami-based technology company Kaseya. JBS paid an $11 million ransom, while Kaseya said it declined to pay the hackers.
Following a string of high-profile attacks, President Joe Biden vowed to make curbing ransomware a priority for his administration. Earlier this year, the White House enlisted more than 30 countries to join a “Counter-Ransomware Initiative,” with stated aims including improving cybersecurity and disrupting the ransomware economy, which includes the use of crytocurrency.
The arrests by European law enforcement involved so-called REvil affiliates. Ransomware groups often provide their malware to others, called affiliates, who then target victims and pay the group a cut of the illicit proceeds. Europol said that law enforcement agencies had identified the alleged affiliates of REvil after seizing infrastructure used by the group and carrying out investigative methods such as wiretapping.
Romanian authorities arrested two alleged affiliates of the group on Nov. 4, according to a statement released on Monday by European law enforcement agency Europol. A further three arrests of REvil suspects were made earlier this year, Europol said.
The alleged hackers are suspected of involvement in about 5,000 ransomware infections and received about half a million Euros ($579,000) in ransom payments. Many ransomware gangs offer their malware to others, called affiliates, who then send it out to infect victims, in what is known as ransomware-as-a-service.
In the Texas indictment, Yaroslav Vasinskyi was charged with conspiracy to commit fraud and money laundering, as well as other computer crimes, in connection with REvil ransomware attacks against several U.S. businesses. Prosecutors allege Vasinskyi “knowingly and willfully” conspired to intentionally damage computer systems among at least nine firms in seven states.
Prosecutors said the victims in Vasinskyi’s attacks have paid more than $2 million in combined ransom.
The government alleges that Vasinskyi and other conspirators authored and deployed the malicious software on computer systems since April 2019. Prosecutors say the attackers infected computers using a swath of tricks, including sending out phishing emails, using compromised remote desktop passwords and exploiting vulnerabilities in software code.
Monday’s actions include the designation of Chatex, a virtual currency exchange, and its associated support network, for facilitating financial transactions for ransomware actors. Chatex, which claims to have a presence in multiple countries, has facilitated transactions for multiple ransomware variants, according to the Treasury Department. Analysis of Chatex’s known transactions indicate that over half are directly traced to illicit or high-risk activities such as dark net markets, high-risk exchanges, and ransomware.