Justice News

Attorney General Merrick B. Garland, Deputy Attorney General Lisa O. Monaco and FBI Director Christopher Wray Deliver Remarks on Sodinokibi/REvil Ransomware Arrest
Washington, DC
United States
~
Monday, November 8, 2021

Attorney General Garland Remarks as Delivered

Good afternoon. I am joined today by Deputy Attorney General Monaco, FBI Director Wray and Deputy Treasury Secretary Adeyemo.  

A core priority of the Justice Department is to keep our country safe from all threats, foreign and domestic. Cybercrime is a serious threat to our country: to our personal safety, to the health of our economy and to our national security.  

Cybercrime takes many forms, one of which is ransomware. In ransomware attacks, transnational cybercriminals use malicious software to hold digital systems hostage and demand a ransom. These attacks have targeted our critical infrastructure, law enforcement agencies, hospitals, schools, municipalities and businesses of all sizes.  

Meeting this threat requires a whole-of-government approach. Together, with our partners, the Justice Department is sparing no resource to identify, and bring to justice, anyone, anywhere, who targets the United States with a ransomware attack. Today, we are announcing that we are bringing to justice an alleged perpetrator of a significant, wide-reaching ransomware attack.  

On July 2, the multi-national information software company Kaseya, and its customers, were attacked by one of the most prolific strains of ransomware, known as REvil or Sodinokibi. To date, REvil ransomware has been deployed on approximately 175,000 computers worldwide, with at least $200 million paid in ransom. As a result of the Kaseya attack, businesses that relied on Kaseya's services across the United States and around the world were impacted.   

Six weeks later, on August 11, the Justice Department indicted Yaroslav Vasinskyi – also known by the online moniker, Rabotnik. The indictment, which was previously under seal, charges him with conspiring to commit intentional damage to protected computers and to extort in relation to that damage; causing intentional damage to protected computers; and conspiring to commit money laundering.  

The indictment charges that Vasinskyi and co-conspirators authored REvil software; installed it on victims' computers, resulting in encryption of the victims' data, including in the July 2 attack; demanded ransom payments from those victims; and then laundered those payments. Two months after the indictment, on October 8, Vasinskyi crossed the border from Ukraine into Poland. There, upon our request, Polish authorities arrested him pursuant to a provisional arrest warrant. We have now requested that he be extradited from Poland to the United States pursuant to the extradition treaty between our countries.  

Today, we are unsealing Vasinskyi’s indictment. Vasinskyi’s arrest demonstrates how quickly we will act, alongside our international partners, to identify, locate and apprehend alleged cybercriminals – no matter where they are located. 

Ransomware attacks are fueled by criminal profits. That is why we are not just pursuing the individuals responsible for those attacks. We are also committed to capturing their illicit profits and returning them, whenever we can, to the victims from whom they were extorted.   

And that brings me to our second announcement today. In addition to securing the arrest of Vasinskyi, the Justice Department has seized $6.1 million tied to the ransom proceeds of another alleged REvil ransomware attacker, Russian national Yevgeniy Polyanin

As set forth in the public filings related to the seizure, Polyanin, whom we also charged by indictment, is alleged to have conducted approximately 3,000 ransomware attacks. Polyanin’s ransomware attacks affected numerous companies and entities across the United States, including law enforcement agencies and municipalities throughout the State of Texas. Polyanin ultimately extorted approximately $13 million from his victims.  

We are also announcing the unsealing of an indictment against Polyanin. Like the indictment against Vasinskyi, he is charged with conspiring to commit intentional damage to protected computers and to extort in relation to that damage; causing intentional damage to protected computers; and conspiring to commit money laundering. 

Today, and now for the second time in five months, we announce the seizure of digital proceeds of ransomware deployed by a transnational criminal group. This will not be the last time. The U.S. government will continue to aggressively pursue the entire ransomware ecosystem and increase our nation's resilience to cyber threats.   

But while today's announcements mark important successes, I want to emphasize that we all must play a role in improving our cyber defenses. This includes the American business community. Being vigilant and investing resources in cybersecurity should be a high profile priority for all of us.   

In addition, when ransomware attacks do occur, law enforcement's ability to respond depends in large part on whether – and how promptly – the victim reports the attack. Failure to timely report also puts other potential victims in jeopardy. It deprives investigators of the information they need to forestall or mitigate other attacks. It is for this reason that we urge Congress to create a national standard for reporting significant cyber incidents, and to require that the reported information be shared immediately with the Justice Department. 

Our message today is clear. The United States, together with our allies, will do everything in our power to identify the perpetrators of ransomware attacks, to bring them to justice and to recover the funds they have stolen from the American people. 

Over the past seven months, the Justice Department has sharpened the tools at our disposal to investigate and prosecute ransomware attacks. We have created the DOJ Ransomware and Digital Extortion Taskforce, as directed by the Deputy Attorney General, which includes the Criminal Division, the National Security Division, the Executive Office of United States Attorneys, the Civil Division and the Federal Bureau of Investigation.  

I would like to thank all of our partners who have assisted in this effort, including CISA, the Treasury Department and the State Department; as well as our many foreign law enforcement partners. Finally, I would like to thank all those within DOJ for their work. This includes the U.S. Attorney's Office for the Northern District of Texas, the Criminal Division's Computer Crimes and Intellectual Property Section and Office of International Affairs, the National Security Division and the Jackson and Dallas FBI Field Offices, which led the department's investigation. 

I will now turn the podium over to Deputy Attorney General Monaco, who will provide further details. 

Deputy Attorney General Monaco Remarks as Prepared for Delivery

Thank you, Attorney General Garland.

Our announcements today reflect the work of the department’s Ransomware and Digital Extortion Task Force, as part of a whole of government response to the threat of ransomware. Both the arrest of Vasinskyi and the charges against Polyanin and the seizure of millions in cryptocurrency show we will be relentless in our mission to investigate, disrupt and prosecute ransomware attacks.

Over the past seven months, the task force – through those you see represented today and additional domestic and international partners – has been using every tool at our disposal and leveraging every authority we can to hunt down and hold accountable cybercriminals, wherever they may be.

Exactly five months ago, I stood at this podium to announce that the Department of Justice had turned the tables on ransomware actors and seized millions in cryptocurrency paid in ransom during the Colonial Pipeline ransomware attack.

Today, we are back to tell the American people that we’ve done it again. This time the Ransomware and Digital Extortion Task Force delivered a significant blow to the Sodinokibi/REvil ransomware gang, who attacked thousands of victims worldwide. These victims are networks of information technology and financial services firms, critical infrastructure entities, nonprofits, law enforcement agencies, local governments and food and agriculture suppliers.

Once again we were able to recover ransom by “following the money.” The career prosecutors and special agents of the FBI working with partners around the globe did some good old-fashioned detective work by chasing down digital leads, identifying infrastructure to dismantle and seizing funds.

Our partners at the State Department were able to build on our actions and later today, will be announcing a reward for those who assist us in our efforts to bring REvil actors to justice.

Our partners at the Treasury Department are also using their sanctions authority, which Deputy Secretary Adeyemo will discuss shortly. And our work won’t stop today; the department’s National Cryptocurrency Enforcement Team will continue to work with the Treasury Department to deprive bad actors of their profits and to dismantle the financial exchanges that knowingly enable criminal actors to flourish and profit.  

Ransomware knows no borders and so our efforts to combat it must be equally transnational—as they were in this case.

Today’s announcement, and the arrest of Vasinskyi in particular, was possible because of the strong partnership between U.S. law enforcement and our foreign counterparts. The arrest we announce today and the charges and seizures are part of a coordinated series of law enforcement actions, taken with partners across four different continents. These actions include the arrests of two additional Sodinokibi/REvil actors – announced earlier today – by Romanian authorities.

Ultimately though, the success of this case proves the crucial importance of victim companies working with DOJ and the FBI when they are first hit with an incident. The director will speak more about what exactly the FBI did in this case but I want to make clear that we are here today because in their darkest hour, Kaseya made the right choice — they decided to work with the FBI.

Almost immediately after they were hit, Kaseya provided the FBI information they needed to act—and to act fast. In doing so, we were ultimately able to identify and help the many victims of this attack and also, to follow the trail to Vasinskyi. Equally important, we worked with our partners at CISA to provide information to the public and to help prevent future attacks.

What you see here today is a unified front and our message should be clear: if you target victims here we will target you – and the Department of Justice won’t give up until you are held accountable.

To Americans watching today — to those who own small businesses, run Fortune 500 companies, manage hospitals and oversee school districts alike — this case is the reason you want to work with law enforcement. Know that if you pick up the phone, and you call the FBI, this is what is waiting for you on the other end of the line.

And now I will turn the podium over to FBI Director Wray.

FBI Director Wray Remarks as Prepared for Delivery

Good afternoon.

Today's announcement of the arrest of Yaroslav Vasinskyi in Poland, and the charges against and seizure from Yevgeniy Polyanin shows what’s possible when international and federal law enforcement work together with private sector companies. It also demonstrates our resolve in pursuing criminal enterprises that use ransomware to threaten our critical infrastructure, our public health and safety and our economic vitality

As the Attorney General noted, this ransomware strain has wreaked havoc across the globe. Extorting vast sums and inflicting significant damage with attacks on, to name just a few, JBS foods, local governments in Texas, hospitals, schools, 911 call centers and of course, Kaseya.

When Kaseya realized some of their customers’ networks were infected with ransomware, they immediately took action. They worked to make sure both their own customers – managed service providers – and those MSPs’ customers downstream, quickly disabled Kaseya’s software on their systems.

They also engaged with us, early. The FBI coordinated with a host of key partners – including CISA, and foreign law enforcement and intelligence services – so Kaseya could benefit from all of our expertise, authorities and reach as it worked to put out the fire.

Kaseya’s swift response allowed the FBI and our partners to quickly figure out which of its customers were hit. And for us to quickly share with Kaseya and its customers information about what the adversaries were doing, what to look for and how the companies could best address the danger. Here, we were able to obtain a usable decryption key that allowed us to generate a capability to unlock Kaseya customers’ data.

We immediately strategized with our interagency partners and reached a carefully considered decision about how to help the most companies possible, both by providing the key, and by maximizing our government’s impact on our adversaries, who continued to mount new attacks. Ultimately, we were able both to unlock encrypted data and to take bad actors out of operation, including by hitting Sodinokibi more broadly.

Seizing cryptocurrency, and as you just heard, late last week our partner Romanian authorities also arrested two other individuals suspected of cyber attacks using Sodinokibi/REvil ransomware.

As the Attorney General and Deputy Attorney General mentioned, the steps we’ve announced today are yet another example highlighting why the public needs breach reporting legislation that provides the FBI real-time access to information about ransomware attacks and other criminal breaches.

When the FBI is engaged early, we can provide victims more and better support: we get them the intelligence and technical information they need faster, we can quickly work back from that intrusion to follow and seize the criminals’ money before it can jump through wallet after wallet and exchange after exchange, identify other victims about to be hit or in the early stages of further attacks, and make connections between what the reporting victim sees and intelligence we gather from around the world, arming both the private sector and our government partners with insights they can act on.

We’ve deployed technically trained agents, computer scientists, intelligence analysts and others in every one of our 56 field offices across the country. So, we can warn businesses big and small, wherever they may be, quickly and with the information they need to defend their networks

Over the past few years, ransomware schemes have repeatedly crippled hospital systems, targeted the energy sector, threatened emergency services and cost or endangered thousands of jobs at businesses of every kind and size.

Most of the time, the actors themselves are trying to hide abroad. But as we’ve shown time and again, we’ll still pursue them, disrupt them and hold them accountable – the long arm of the law reaches a lot farther than they think. And we’ve got ways of disrupting those sheltering in places like Russia – as Polyanin discovered when he woke up and found $6.1 million he’d extorted from his victims missing.

Good partners of ours, like the Treasury and State departments, are also adept at turning the results of our investigations into action and pressure abroad. I want to thank Kaseya and other private sector partners for their invaluable help in this case – and for the way they’ve joined our response to the ransomware threat. I also want to thank our own Dallas and Jackson field offices for leading the investigation. And I’m grateful to all our federal partners, and our many foreign partners, especially Poland, Romania, Ukraine, France and Germany.

The cyber threat is daunting – but when we combine the right people, the right tools, and the right authorities, our adversaries are no match for what we can accomplish together. Thank you. And now I’ll turn the podium over to the Deputy Secretary of the Treasury, Wally Adeyemo.

Updated November 8, 2021