Ukrainian national sentenced over REvil ransomware spree

A United States court has sentenced a 24-year-old Ukrainian national named as Yaroslav Vasinskyi to 13 years and seven months in prison, and ordered him to pay more than $16m in restitution, after convicting him of over 2,500 ransomware attacks demanding over $700m in payments under the REvil/Sodinokibi crime spree.

Vasinskyi, who used the handle Rabotnik online, had previously pled guilty in a Texas court to 11 indictments of conspiracy to commit fraud and related activity in connection with computers, damage to protected computers, and conspiracy to commit money laundering. He was arrested in late 2021 after he tried to cross from Ukraine into Poland, and extradited to the US.

“As this sentencing shows, the Justice Department is working with our international partners and using all tools at our disposal to identify cyber criminals, capture their illicit profits, and hold them accountable for their crimes,” said US attorney general Merrick Garland.

“Deploying the REvil ransomware variant, the defendant reached out across the globe to demand hundreds of millions of dollars from US victims,” added deputy attorney general Lisa Monaco. “But this case shows the Justice Department’s reach is also global – working with our international partners, we are bringing to justice those who target US victims, and we are disrupting the broader cyber crime ecosystem.”

The REvil syndicate was behind a string of high-profile cyber attacks and dominated the ransomware ecosystem for a time in 2020 and 2021.

It first came to widespread attention in the UK after it knocked over the systems of foreign exchange provider Travelex in January 2020.

Other victims included American foodservice firm JBS, one of the world’s largest beef suppliers; tech firm and Apple supplier Quanta Computer, via which it attacked Apple itself; and a New York City law firm with clients including former president Donald Trump and singer Lady Gaga.

Most famously, REvil was behind the 4 July 2021 hit on Kaseya. In the aftermath of the Kaseya heist, REvil claimed it had infected a million computer systems – Kaseya found 50 managed service provider (MSP) customers and about 1,500 of the customers of those MSPS were affected, and demanded a $70m bitcoin ransom to provide a universal decryptor.

Such was the scale of the attack that it prompted the multinational law enforcement action that ultimately brought Vasinskyi to justice.

REvil was among the pioneers of the double extortion technique that emerged around the turn of the decade, in which victims not only find their data has been encrypted, but also stolen and effectively held hostage.

This now standard technique is purposely designed to pile additional pressure on crisis-stricken organisations, extract more money from them to avoid embarrassment, and in some cases to attract the attention of regulators. REvil itself frequently used its dark web site – known somewhat incongruously as the Happy Blog – to name and shame its victims.

The prolific gang was finally disrupted and laid low by the Russian authorities in early 2022. The action took place in a brief window of time prior to the invasion of Ukraine when it seemed like Moscow might willingly collaborate with Western agencies on the ransomware threat.