A Ukrainian man was sentenced to 13 years and seven months in prison on Wednesday for his role in conducting over 2,500 ransomware attacks and demanding over $700 million in ransom payments, the U.S. Department of Justice said.
Yaroslav Vasinskyi, pseudonym Rabotnik, 24, was sentenced May 1 and ordered to pay restitutions totaling over $16 million.
Yaroslav Vasinskyi
As part of Operation GoldDust, involving 17 countries and various law informant agencies, Vasinskyi was extradited to the U.S. in 2021 after being taken into custody by Polish authorities due to his role in the REvil ransomware-as-a-service (RaaS) operation. In an indictment unsealed on November 8, 2021, Vasinskyi was charged with having conducted multiple ransomware attacks, including the July 2021 supply-chain attack against IT software company Kaseya, leading to more than 1,500 downstream victims.
This was in conjunction with the seizure of $6.1 million USD of traced ransoms received by Russian national Yevgeniy Polyanin, who was also charged with conducting attacks, including those against Texas businesses and state organizations in August 2019.
“The arrest of Yaroslav Vasinskyi, the charges against Yevgeniy Polyanin, the seizure of $6.1 million of his assets, and the arrests of two other Sodinokibi/REvil actors in Romania are the culmination of close collaboration with our international, U.S. government, and especially our private sector partners,” said FBI Director Christopher Wray.
In 2023, the DOJ received the final forfeiture of ransom payments, which included the previously mentioned $6.1 million USD and 39.89138522 Bitcoin.
Vasinskyi previously pleaded guilty in the Northern District of Texas to an 11-count indictment charging him with conspiracy to commit fraud and related activity in connection with computers, damage to protected computers, and conspiracy to commit money laundering.
Ransomware Evil
REvil (also known as Sodinokibi) was a Russian-speaking RaaS operation seemingly formed in 2019, potentially from the remains of “Gold Garden,” the group behind the GandCrab ransomware. Emerging in mid-April of the same year, the ransomware has been linked to numerous attacks, including on a multitude of Texas municipalities.
Like many ransomware schemes, REvil would threaten to publish the information on their blog unless the ransom was paid. Targets of REvil included law firms, military contractors, IT companies such as Kaseya, Texas state institutions, a Brazilian meat processor, and even politicians and celebrities (allegedly including Donald Trump, Lady Gaga, and Madonna).
On 13 July 2021, REvil public infrastructure vanished from the internet, leaving officials without an explanation as to the reasoning. Following the Kaseya attack, the FBI obtained a universal decryption key that allowed those infected via Kaseya to freely recover their files.
In mid-September, cybersecurity firm Bitdefender published a free universal decryptor utility to help victims of the ransomware recover their encrypted files, which has been used by more than 1,400 companies across 83 countries. October saw the group forced offline in a multi-country cyber operation.
VMWare head of cybersecurity strategy, Tom Kellermann, stated: “The FBI, in conjunction with Cyber Command, the Secret Service and like-minded countries, have truly engaged in significant disruptive actions against these groups. REvil was top of the list.”
This eventually led to the previously mentioned November 2021 indictment and extradition of Yaroslav Vasinskyi as part of the Operation GoldDust, initiating some of the first legal actions against members of the cybegang.
As of January 2022, the Russian Federal Security Service (FSB) has stated that “the organized criminal association has ceased to exist and the information infrastructure used for criminal purposes was neutralized.”
