REvil Ransom Arrest, $6M Seizure, and $10M Reward – Krebs on Safety


The U.S. Division of Justice at present introduced the arrest of Ukrainian man accused of deploying ransomware on behalf of the REvil ransomware gang, a Russian-speaking cybercriminal collective that has extorted a whole bunch of thousands and thousands from sufferer organizations. The DOJ additionally mentioned it had seized $6.1 million in cryptocurrency despatched to a different REvil affiliate, and that the U.S. Division of State is now providing as much as $10 million for the title or location any key REvil leaders, and as much as $5 million for info on REvil associates.

If it sounds unlikely {that a} regular Web consumer might make thousands and thousands of {dollars} unmasking the identities of REvil gang members, take coronary heart and think about that the 2 males indicted as half this legislation enforcement motion don’t seem to have achieved a lot to separate their cybercriminal identities from their real-life selves.

Exhibit #1: Yaroslav Vasinskyi, the 22-year-old Ukrainian nationwide accused of being REvil Affiliate #22. Vasinskyi was arrested Oct. 8 in Poland, which maintains an extradition treaty with america. Prosecutors say Vasinskyi was concerned in quite a lot of REvil ransomware assaults, together with the July 2021 assault in opposition to Kaseya, a Miami-based firm whose merchandise assist system directors handle giant networks remotely.

Yaroslav Vasinksyi’s Vkontakte profile reads “In the event that they inform you nasty issues about me, consider each phrase.”

In line with his indictment (PDF), Vasinskyi used a wide range of hacker handles, together with “Profcomserv” — the nickname behind a web-based service that floods telephone numbers with junk requires a price. Prosecutors say Vasinskyi additionally used the monikers  “Yarik45,” and “Yaroslav2468.”

These final two nicknames correspond to accounts on a number of prime cybercrime boards approach again in 2013, the place a consumer named “Yaroslav2468” registered utilizing the e-mail deal with

That e mail deal with was used to register an account at Vkontakte (the Russian model of Fb/Meta) below the profile title of “Yaroslav ‘promote the blood of css’ Vasinskyi.” Vasinskyi’s Vkontakte profile says his present metropolis as of Oct. 3 was Lublin, Poland. Maybe tauntingly, Vasinskyi’s profile web page additionally lists the FBI’s 1-800 tip line as his contact telephone quantity. He’s now in custody in Poland, awaiting extradition to america.

Exhibit #2: Yevgeniy Igorevich Polyanin, the 28-year-old Russian nationwide who’s alleged to be REvil Affiliate #23. The DOJ mentioned it seized $6.1 million in funds traceable to alleged ransom funds acquired by Polyanin, and that the defendant had been concerned in REvil ransomware assaults on a number of U.S. sufferer organizations.

The FBI’s needed poster for Polyanin.

Polyanin’s indictment (PDF) says he additionally favored quite a few hacker handles, together with LK4D4, Damnating, Damn2life, Noolleds, and Antunpitre. A few of these nicknames return greater than a decade on Russian cybercrime boards, a lot of which have been hacked and relieved of their consumer databases over time.

Amongst these was carder[.]su, and that discussion board’s database says a consumer by the title “Damnating” registered with the discussion board in 2008 utilizing the e-mail deal with Positive sufficient, there’s a Vkontakte profile tied to that e mail deal with below the title “Yevgeniy ‘rattling’ Polyanin” from Barnaul, a metropolis within the southern Siberian area of Russia.

The obvious lack of any actual operational safety by both of the accused right here is so frequent that it’s hardly exceptional. As exhibited by numerous investigations in my Breadcrumbs story collection, I’ve discovered that if a cybercriminal is energetic on a number of boards over greater than 10 years, this can be very seemingly that individual has made a number of errors that make it comparatively simple to attach his discussion board persona to his real-life identification.

As I defined earlier this yr in The Wages of Password Re-use: Your Cash or Your Life, it’s potential in lots of instances to make that connection thanks to 2 components. The most important is password re-use by cybercriminals (sure, crooks are lazy, too). The opposite is that cybercriminal boards, companies, and many others. get hacked nearly as a lot as everybody else on the Web, and once they do their consumer databases can reveal some very invaluable secrets and techniques and connections.

Together with at present’s REvil motion, the U.S. Division of State mentioned it was providing a reward of as much as $10 million for info resulting in the identification or location of any particular person holding a key management place within the REvil ransomware group. The division mentioned it was additionally providing a reward of as much as $5 million for info resulting in the arrest and/or conviction in any nation of any particular person conspiring to take part in or making an attempt to take part in a REvil ransomware incident.

I actually like this bounty provide and I hope we see extra similar to it for different ransomware teams. As a result of as we are able to see from the prosecutions of each Polyanin and Vasinskyi, a number of these guys merely aren’t too arduous to seek out. Let the video games start.