Five alleged members of the REvil ransomware gang have been arrested in an international crackdown on cybercriminals that has seen authorities claw back around $8.3 million in ransom payments.
Europol announced the arrests earlier this week, saying South Korean, Polish, and Romanian police had taken the alleged ransomware operators into custody as part of Operation GoldDust – an international law enforcement effort that included 17 countries.
US authorities had put out an international warrant for one of men, Yaroslav Vasinskyi, a 22-year-old Ukrainian who was arrested at the Polish border in early October.
Vasinskyi allegedly perpetrated the supply chain attack on Kaseya – a US-based company that sells popular software to managed service providers.
It was a serious incident that saw an estimated 1,500 companies infected with ransomware until Kaseya procured a free decryption key for its affected customers.
On Tuesday, the US announced it was seeking to extradite Vasinskyi and try him on hacking and money laundering charges that collective carry maximum penalties of 115 years.
It also announced an indictment against 28-year-old Russian man Yevgeniy Polyanin from whom US law enforcement claims to have seized around $8.3 million worth of assets it alleges were made as ransomware payments.
Polyanin is still on the run from the law and is facing a maximum 145 years in US prison for his alleged hacking and money laundering activities.
US Deputy Attorney General Lisa Monaco said the joint arrests and counter-operations show that law enforcement is serious about targetting ransomware gangs.
“Our message to ransomware criminals is clear: if you target victims here, we will target you,” she said.
“Criminals now know we will take away your profits, your ability to travel, and – ultimately – your freedom.
“Together with our partners at home and abroad, the Department will continue to dismantle ransomware groups and disrupt the cybercriminal ecosystem that allows ransomware to exist and to threaten all of us.”
The strong words and actions from international law enforcement signal a dramatic reversal of fortune for ransomware operators, like those behind REvil, which had long operated in the shadows of the internet and in jurisdictions where there was little appetite to stop them.
In the past year, authorities have amped up their efforts to stamp out the ransomware scourge that continues to trouble businesses and critical infrastructure.
A key part of stopping ransomware has been to disincentivise it by making cybercrime less profitable such as by taking back stolen assets.
In June, the US Department of Justice announced it had seized 63.7 bitcoins paid to the Colonial Pipeline attackers in an effort to stop what Monaco said was “the fuel that propels the digital extortion engine”.