Kaseya Ransomware: 8 Things Learned From The DOJ, FBI

‘I want to make clear that we are here today because, in their darkest hour, Kaseya made the right choice. And they decided to work with the FBI. Almost immediately after they were hit, Kaseya provided the FBI with information they needed to act,“ says Lisa Monaco, deputy U.S. attorney general.

Behind The Kaseya Ransomware Attack: The Actors, Funds, And Aftermath

The U.S. Department of Justice, along with the Federal Bureau of Investigation, on Monday held a press conference in which they announced the arrest of an alleged perpetrator of the July Kaseya ransomware attack, the indictment of a second perpetrator, the recovery of $6.1 million in alleged illicit ransom payments, the support Kaseya provided that made those actions possible, and why the release of the decryptor tool by the FBI was delayed.

In the attack, Kaseya in early July was forced to take all SaaS instances of its VSA remote monitoring and management tool offline following an attack against some on-premise VSA customers.

Ransomware operator REvil, which initiated the cyber attack, a few days later demanded $70 million from Kaseya for a decryptor that could be used to decrypt the ransomware on the 1,000-plus end customers hit by the attack. The FBI eventually was able to access the decryptor tool and enable those customers to recover.

Kaseya eventually said that the REvil attack via its VSA hit 56 of Kaseya’s 37,000 MSP customers and about 1,500 of those MSPs’ end-user clients.

Law enforcement investigations of ransomware attacks are seldom resolved, and so the DOJ and FBI have a right to brag. But at the same time, they gave credit where credit was due, thanking Kaseya for its swift action in bringing the case to the FBI, and thanking international law enforcement partners, particularly in Poland, for their support.

For details on what was learned from the DOJ and FBI this week, and a few questions yet to be answered, click through the slideshow.

The Rise Of Ransomware

Cyber crime is a threat to national security, to the health of the national economy, and to the personal safety of Americans, said U.S. Attorney General Merrick Garland.

Ransomware attacks, in which transnational attackers hold IT systems hostage and demand a ransom, have been targeted at critical infrastructure, law enforcement agencies, hospitals, schools, municipalities, and businesses of all sizes, he said.

“Meeting this threat requires a whole of government approach,” he said. “Together with our partners, the Justice Department is sparing no resource to identify and bring to justice anyone, anywhere, who targets the United States with a ransomware attack.”

Multinational software company Kaseya and its customers were attacked on July 2 by REvil, one of the most prolific strains of ransomware, Garland said.

“To date, REvil ransomware has been deployed on approximately 175,000 computers worldwide, with at least $200 million paid in ransom,” he said. “As a result of the Kaseya attack, businesses that relied on Kaseya services across the United States and around the world were impacted.”

Naming Names: Yaroslav Vasinski Indicted

The Department of Justice Monday announced legal actions against two individuals allegedly involved with the Kaseya ransomware attack.

The DOJ on August 11 indicted Ukrainian national Yaroslav Vasinski, who is also known as “Robotnik.” That indictment was previously under seal.

Vasinski was charged with conspiring to “commit intentional damage to protected computers and to extort in relation to that damage, causing intentional damage to protected computers, and conspiring to commit money laundering,” Garland said.

According to the indictment, Vasinski and his co-conspirators co-authored REvil software and installed it on victims‘ computers, including during the July 2 attack through Kaseya.

Vasinski on October 8 crossed the border from Ukraine to Poland where Polish authorities arrested him upon U.S. request. The U.S. has requested that Vasinski be extradited to the U.S.

“Vasinski‘s arrest demonstrates how quickly we will act, alongside our international partners to identify, locate, and apprehend alleged cyber criminals, no matter where they are located,” Garland said.

Naming Names: Yevginiy Polyanin Indicted

The DOJ, in an indictment unsealed Monday, alleged that Russian national Yevginiy Polyanin conducted approximately 3,000 ransomware attacks, attacks that impacted numerous companies across the U.S., including law enforcement organizations and municipalities across Texas.

Polyanin ultimately extorted about $13 million from his victims, of which $6.1 million in cryptocurrency was recovered by the DOJ.

Polyanin is facing the same charges as Vasinski.

Kudos To Kaseya For Reaching Out

The Kaseya ransomware case proves the importance for victims to come forward and work with the Justice Department and FBI when first hit with an incident, said Deputy U.S. Attorney General Lisa Monaco.

“I want to make clear that we are here today because, in their darkest hour, Kaseya made the right choice,“ she said. ”And they decided to work with the FBI. Almost immediately after they were hit, Kaseya provided the FBI with information they needed to act. And to act fast. In doing so, we were ultimately able to identify and help many victims of this attack and also to follow the trail to Vasinski. Equally important, we worked with our partners at CISA (the Cybersecurity and Infrastructure Security Agency) to provide information to the public and to help prevent future attacks.”

Kaseya was one of several organizations worldwide impacted by the REvil ransomware, said FBI Director Christopher Wray.

“When Kaseya realized that some of their customers‘ networks were infected with ransomware, they immediately took action,” Wray said. ”They worked to make sure that both their own customers, the managed service providers, and those MSPs’ customers downstream quickly disabled Kaseya’s software on their systems.”

Kaseya also engaged early with the FBI, Wray said.

“The FBI then coordinated with a host of key partners including CISA and foreign law enforcement and intelligence services so Kaseya could benefit from all of our expertise and reach as it worked to put out the fire,” he said. ”Kaseya‘s swift response allowed the FBI and our partners to quickly figure out which of its customers were hit, and for us to quickly share with Kaseya and its customers information about what the adversaries were doing, what to look for, and how the companies could best address the danger.”

The FBI was able to obtain a decryption key that allowed the generation of a useable capability to unlock Kaseya‘s customers’ data.

“We immediately strategized with our inter-agency partners and reached a carefully considered decision about how to help the most companies possible both by providing the key and by maximizing our government‘s impact on our adversaries who were continuing to mount new attacks. Fortunately, we were able to both unlock encrypted data and take bad actors out of operation,” Wray said.

Businesses Need To Do Their Part

Garland urged U.S. businesses to do their part by investing in cyber security.

“Being vigilant and investing resources in cyber security should be a high-profile priority for all of us,” he said.

It is important for victims to reach out to law enforcement when facing cyber attacks, Garland said.

“Failure to timely report also puts other potential victims in jeopardy,” he said. ”It deprives investigators of the information that they need to forestall or mitigate other attacks. It is for this reason that we urge Congress to create a national standard for reporting significant cyber incidents, and to require that the reported information be shared immediately with the Justice Department.”

Confirmed: The FBI Delayed Releasing The Kaseya Ransomware Decryptor

When asked if after Kaseya came to the FBI whether the FBI was able to appropriately both work with Kaseya to provide the decryption key and maximize law enforcement activities after reports that the FBI did not immediately release the decryption key, Wray declined to neither confirm nor deny the timeline of those events.

“I think it‘s important for people to understand that, when we find technical information like decryption keys, first of all, I wish we would find them more often,” he said. ”It’s not something that happens in every case. But it’s a specific goal in every investigation. That’s something that our folks are tasked with looking for. It’s not something we just kind of stumble across by happenstance. It’s a specific aim of the investigation so that we can turn around and push it out to companies, victims, and potential victims.”

But when there‘s a decision like that, it’s an inter-agency group decision, Wray said.

“It‘s not something the FBI does unilaterally,” he said. ”There are a whole bunch of things that go into it. So that ranges from things like the testing and validation of the tool, which is part of it. We can’t just turn around and push something out. We gotta make sure it actually works. We gotta make sure that it’s not gonna make thing worse rather than better. In some cases, remember who’s designing these things in the first place. So we don’t want to inadvertently put malware on somebody’s computer that we’re trying to help.”

Furthermore, the investigations are often part of a multinational operation and there are other factors, Wray said.

“But ultimately, it all boils down to trying to make sure that we can maximize the impact on the ransomware actors and maximize the benefit to the most victims, and the most potential victims,” he said. ”So that‘s kind of how it all gets worked together. A lot of times, that can happen very, very quickly. Sometimes it takes a little bit longer.”

Chatex Sanctioned

Wally Adeyemo, deputy secretary of the U.S. Treasury Department, said his organization, working with the Justice Department and the FBI, placed sanctions on two ransomware affiliates who were part of a group that implemented some of the most devastating ransomware attacks against the U.S., and is also sanctioning a virtual currency exchange, Chatex, and its enabling companies that the Treasury Department says have provided financial facilitation for multiple ransomware variants.

“This means that, effectively, all assets of these entities that are subject to U.S. jurisdiction are blocked. All transactions are prohibited for U.S. persons. And all domestic exchanges are prohibited from processing transactions with this exchange,” Adeyemo said.

Follow The Money

Along with the indictment of Polyanin came the news that $6.1 million in crypto currency allegedly received by him from the ransomware attacks was seized by the Department of Justice.

Monaco said this was the second time in five months funds have been seized from ransomware attackers. In June, the DOJ seized a majority of the $4.3 million paid by Colonial Pipeline to the Darkside ransomware gang following the cyber attack on that company‘s gasoline pipelines in May.

“This will not be the last time,” Monaco said. ”The U.S. government will continue to aggressively pursue the entire ransomware ecosystem and increase our nation‘s resilience to cyber threats.”

The $6.1 million in crypto currency recovered by the DOJ came about by following the money, Monaco said

“The career prosecutors and the special agents of the FBI, working with partners around the globe, did some good old-fashioned detective work by chasing down digital leads, identifying infrastructure to dismantle, and seizing funds,” she said.

Questions Yet To Be Answered

Garland, when asked by a reporter whether the Russian government condoned or was aware of the ransomware activities outlined by the DOJ, declined to directly answer because of the on-going investigation.

“I will say that we expect and hope that any government in which one of these ransomware actors is residing will do everything it can to provide that person to us for prosecution.”

Later, when asked how Vasinski was able to be captured when he crossed the border to Poland, Wray declined to answer.

“There are lots of reasons why people travel,” he said. ”And I can‘t get into the specific reasons why Mr. Vasinski traveled. But boy are we glad that he did.”