Polish authorities arrested 22-year-old Ukranian Yaroslav Vasinskyi on Oct. 8 in connection with attacks on software provider Kaseya and others.
In an indictment a month later, the U.S. Department of Justice accused Vasinskyi of unleashing Sodinokibi/REvil ransomware on Kaseya and other victims.
Vasinkyi and a co-defendant, 28-year-old Russian Yevgeniy Polyanin, “deployed some of the internet’s most virulent code, authored by REvil, to hijack victim computers,” said Acting U.S. Attorney Chad E. Meacham for the Northern District of Texas in a news release.
While Polyanin is still at large, the U.S. says it recovered $6.1 million in alleged ransom payments it says Polyanin received from Kaseya and other victims.
Polish authorities said they arrested Vasinskyi in a village located on the Polish and Ukrainian border. Police seized $10,000 during his arrest, according to Cyberscoop. He is expected to be extradited to the U.S. under Poland’s treaty with the U.S.
Vasinskyi reportedly attended college in Poland and has lived there since 2016.
As a story in Bloomberg details, Vasinskyi is a computer whiz whose skills were apparent in high school in his hometown of Dubrovytsia, Ukraine. Bloomberg said he could “easily disable the protection installed on the students’ personal computers and switch off the teacher’s remote control without knowing the password.”
He freelanced after school repairing mobile phones and building websites. The money helped him attend college in Lublin, Poland, Bloomberg said.
Post-college, Vasinkyi’s social media bloomed with posts about travels to Milan and Paris, as well as a video showing him taking a spa bath in the Maldives with a young woman.
However, the U.S. Department of Justice says Vasinkyi financed his life by working for “Unknown,” a person who advertised for ransomware affiliates in July 2019. Vasinkyi, calling himself “rabotnik,” (worker) told Unknown in December 2019, “I want to return to work.”
The indictment says Vasinkyi was part of a conspiracy that created and deployed the Sodinokibi ransomware and locked up ten companies’ systems, including Kaseya. News accounts of the indictment said the Russian REvil gang developed that strain of ransomware.
The Washington Post reported that another foreign country hacked into REvil’s servers last summer and granted F.B.I. investigators access.
Shortly after Vasinskyi’s arrest, the U.S. Cyber Command hijacked REvil’s traffic, the Post reported.
A REvil member discovered the traffic redirect – and that people were looking for him – and disappeared offline. “Unknown” has gone offline too.
The Post reported the REvil gang then shut down its operations.
Security experts say that the ransomware gang will resurface – and likely resume attacks.