On November 8, 2021, the U.S. Department of Justice (“DOJ”), U.S. Department of the Treasury (“Treasury”), and the U.S. Department of State (“State”) made several significant announcements regarding recent U.S. government actions targeting the ransomware ecosystem. The announcements are the latest signal that the federal government is taking increasingly aggressive actions to combat the threat of ransomware, which the U.S. government views as a national security threat.
The U.S. government actions focused on the REvil ransomware group (also known as Sodinokibi), one of the most prolific ransomware groups and responsible for the July 2021 attack against the information technology software company Kaseya. Specifically, the U.S. government announced the following actions:
- The arrest of a Ukrainian national and an indictment of an additional Russian national who played a prominent role in multiple REvil ransomware attacks;
- The seizure of $6.1 million in funds traceable to ransom payments made by victims of REvil attacks;
- Treasury sanctions against two REvil actors for their part in conducting ransomware incidents against the United States, as well as a virtual currency exchange and associated entities for facilitating financial transactions for ransomware actors;
- Updated Treasury Financial Crimes Enforcement Network (“FinCEN”) guidance related to ransomware to assist financial institutions, including virtual currency service providers, in identifying and reporting suspicious transactions associated with ransom payments; and
- A State reward of up to $10 million for information leading to the identification or location of leaders of the REvil ransomware group and up to $5 million for information leading to the arrest or conviction in any country of any persons conspiring or attempting to participate in a REvil ransomware incident.
DOJ Arrest and Seizure
DOJ announced the arrest of Ukrainian national Yaroslav Vasinskyi by Polish authorities in response to U.S. criminal charges, and the indictment of Russian national Yevgeniy Polyanin for their prominent involvement in REvil ransomware attacks. The charges detail their involvement in REvil attacks, one of the first cases where the U.S. government has been able to connect ransomware attacks to specific individuals.
The arrest of Vasinskyi reflects DOJ’s second ransomware-related arrest, following the June arrest of a Latvian national associated with the ransomware suite of malware known as Trickbot. The arrest is notable because ransomware actors often operate out of jurisdictions that are outside the reach of DOJ. It signals that DOJ will take the same approach to ransomware actors that it took to other national security cyber threats: to bring charges under seal, wait patiently until the hackers travel, and work with international law enforcement partners to effect arrests.
The seizure of REvil assets – in this case, $6.1 million in funds traceable to ransom payments – also marks the third time this year that DOJ has recovered payments made by ransomware victims. The first such seizure occurred in January 2021, when DOJ seized approximately $450,000 in ransom payments made to the NetWalker ransomware group, and the second came in June 2021, when DOJ recovered approximately $2.3 million in proceeds from ransom payments made by Colonial Pipeline to the DarkSide ransomware group.
DOJ’s arrests and seizures reflect a coordinated approach to ransomware attacks, which DOJ attributed in part to the creation of its Ransomware and Digital Extortion Task Force. The Task Force was created to strategically target the ransomware ecosystem and collaborate with domestic and foreign government agencies as well as private sector partners to investigate and prosecute such criminal threats. The Task Force also seeks to develop a comprehensive picture of the national and economic security threats posed by ransomware actors and the infrastructure and networks that allow these threats to persist. In remarks about DOJ’s actions, Attorney General Merrick Garland signaled that the federal government will continue to aggressively pursue ransomware actors and seize and return ransom payments to victims whenever possible.
Further emphasizing the importance of reporting and cooperation among private sector and law enforcement partners, DOJ highlighted the involvement of numerous domestic and international law enforcement agencies in the investigation, including the arrests of two other REvil ransomware group members by Romanian authorities. In particular, DOJ noted that multiple private-sector partners, including Kaseya, had provided significant assistance that ultimately enabled the FBI to identify other victims and recover ransom payment funds and DOJ to bring charges against these ransomware actors.
OFAC Sanctions and FinCEN Guidance
As part of the coordinated U.S. government response, Treasury’s Office of Foreign Assets Control (OFAC) designated Vasinskyi and Polyanin for their roles in perpetuating REvil ransomware incidents against U.S. government entities and private-sector companies, including Kaseya. OFAC also designated Chatex, a virtual currency exchange, for facilitating financial transactions for ransomware actors. Chatex has direct ties to SUEX OTC, S.R.O. (“Suex”), which, as we previously discussed, was sanctioned on September 21, 2021, for facilitating financial transactions for ransomware actors. OFAC also designated three companies that set up Chatex infrastructure, thereby providing it with material support and assistance: IZIBITS OU, Chatextech SIA, and Hightrade Finance Ltd. These individuals and entities were designated pursuant to E.O. 13694, as amended, which covers certain malicious cyber activities. As a result of the designation, all property and interests in property of the designated targets that are subject to U.S. jurisdiction are blocked, and U.S. persons are generally prohibited from engaging in transactions with them.
Treasury’s sanctions announcement underscores that the U.S. government is carefully deploying its authorities to focus on efforts to disrupt ransomware actors while not seeking to penalize victims. For example, Treasury noted that sanctioning the REvil actors “does not implicate a sanctions nexus to any particular Ransomware-as-a-Service (RaaS) or variant.” The language signals to victims that the new sanctions do not ban payments to any particular ransomware group, which could create legal liability for victims (although victims will continue to need to conduct appropriate sanctions checks if they are contemplating a payment, to ensure compliance with U.S. law).
Additionally, FinCEN updated its October 2020 Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments. The update includes new trends and typologies of ransomware and twelve financial red flag indicators of ransomware-related payments to assist financial institutions, including virtual currency service providers, in identifying and reporting suspicious transactions associated with ransom payments. The Advisory is addressed to financial institutions’ top senior management (including CEOs, COOs, and CCOs) and their anti-money laundering, legal, and cybersecurity departments.
State Department Efforts
In conjunction with the DOJ and Treasury announcements, State announced a new $10 million reward for information leading to the identification or location of leaders of the REvil ransomware group and up to $5 million for information leading to the arrest or conviction in any country of any persons conspiring or attempting to participate in a REvil ransomware incident. Earlier this month, State had announced a similar reward related to the DarkSide ransomware group.
State’s involvement reflects the transnational and diplomatic efforts of the United States to pursue ransomware actors wherever they may be located. In addition to liaising with foreign partners, State is also attempting to change the financial calculus for the ransomware market by offering significant rewards for additional information about REvil and DarkSide ransomware actors.
The rewards are being offered under State’s Transnational Organized Crime Rewards Program (TOCRP), which it manages in coordination with other federal law enforcement partners.
A Call for Private-Sector Cooperation
The U.S. government’s announcement included a fresh call to the private sector to notify and cooperate with law enforcement regarding ransomware attacks. Deputy Attorney General Lisa Monaco addressed the value of cooperation directly, noting: “the success of this case proves the crucial importance of victim companies working with DOJ and the FBI when they are first hit with an incident . . . we are here today because in their darkest hour, Kaseya made the right choice—they decided to work with the FBI.” She added: “to those who own small businesses, run Fortune 500 companies, manage hospitals and oversee school districts alike—this case is the reason you want to work with law enforcement. Know that if you pick up the phone, and you call the FBI, this is what is waiting for you on the other end of the line.”
These remarks track DOJ’s victim-focused approach to ransomware. Law enforcement agencies often develop significant information about the activities and tactics of ransomware groups. By coordinating with law enforcement, a victim organization may receive valuable non-public information that could help it identify the vulnerabilities exploited in a breach, whether the ransomware group is known for tactics like data exfiltration, and whether the ransomware group has a sanctions nexus.
The decision whether to coordinate with a law enforcement agency for an organization’s response to a ransomware incident presents potential benefits that must be balanced against potential risks. These risks and benefits must be worked through on a case-by-case basis.
In the future, notifications to the U.S. government regarding ransomware attacks may also become mandatory. As part of the press conference, Attorney General Garland announced DOJ’s support for a national standard mandating the reporting of significant cyber incidents to appropriate federal government agencies. Such legislation is pending on the Hill, and is likely to be considered as part of the National Defense Authorization Act later this year. With Congress looking increasingly likely to pass a cyber incident reporting requirement, what is currently a voluntary decision may become a national mandate in certain contexts.
[View source.]