The Justice Department said on Monday that it had brought charges against a Russian national whom it accused of conducting ransomware attacks against American government entities and businesses, including one that temporarily shut down the meat supply giant JBS.
In the Biden administration’s latest crackdown on cybercrime, the Justice Department also announced that it had seized $6.1 million in ransom paid to the Russian man, Yevgeniy Polyanin, 28, who was accused in court documents of deploying ransomware known as REvil against businesses and government offices in Texas in 2019.
Mr. Polyanin, who is believed to be abroad, has not been taken into custody by American authorities and the prospects of him facing trial in the United States remain unclear.
The department also unsealed a separate indictment on Monday accusing a Ukrainian national, Yaroslav Vasinskyi, 22, with conducting multiple ransomware attacks, including the July 2021 assault on the technology company Kaseya. The attack on Kaseya, which manages internet technology infrastructure for other companies, allowed hackers to infect the systems of Kaseya’s hundreds of customers, including Swedish pharmacies and grocery chains.
Mr. Vasinskyi was arrested last month by authorities in Poland as he crossed into that country, and the Justice Department is seeking his extradition to stand trial in the U.S.
“The United States, together with our allies, will do everything in our power to identify the perpetrators of ransomware attacks, to bring them to justice, and to recover the funds they have stolen from their victims,” Attorney General Merrick B. Garland said in a statement.
The arrests are part of a sustained, coordinated, global effort to combat ransomware. That effort has intensified in recent weeks as authorities in Ukraine, Romania, Kuwait and South Korea started arresting cybercriminals who use what is known as “ransomware as a service.”
“We are bringing the full strength of the federal government to disrupt malicious cyberactivity and actors, bolster resilience at home, address the abuse of virtual currency to launder ransom payments, and leverage international cooperation to disrupt the ransomware ecosystem and address safe harbors for ransomware criminals,” President Biden said in a statement on Monday.
In a ransomware attack, hackers break into a company’s or agency’s computer network, encrypt the data, and then demand a ransom to decrypt it.
In recent years, ransomware groups have used a double-extortion scheme where they not only hold data hostage, but threaten to leak it online. Some groups have started offering the use of their ransomware code, portals, payment platforms and messaging infrastructure to others to conduct attacks, as in the Texas case using REvil, provided by a hacker group of the same name.
Last month, the Biden administration hosted a two-day conference with 30 other countries to create a coalition dedicated to disrupting the global ransomware ecosystem.
Cybersecurity experts say most ransomware developers are based in Russia, where they enjoy broad immunity because Russia does not arrest or extradite them. (Russia was notably not invited to the Biden administration’s summit.) This has limited options for law enforcement in the United States, Europe and other countries.
But in the past few months, American officials have changed tack. Last week, the State Department announced a $10 million reward for anyone who could help provide information about the leaders of DarkSide, a ransomware group alternately known as BlackMatter, which was behind the hack of Colonial Pipeline last May.
Mr. Biden said on Monday that when he met with Russian President Vladimir V. Putin in June, he made clear that the U.S. “would take action to hold cybercriminals accountable.”
American officials have also started clawing back ransom payments from cybercriminals, as they did in the case of DarkSide last June and with Mr. Polyanin, as announced on Monday.
“The message is: ‘You might think we can’t arrest you because you’re living in Russia, but there are a lot of other ways we can get to you,’” said Allan Liska, an intelligence analyst at Recorded Future, a cybersecurity firm. “This kind of sustained, cooperative law enforcement operation is making it far more expensive to conduct ransomware attacks and it’s starting to scare them.”
Over the past few weeks, members of REvil and DarkSide have both gone dark, signing off from cybercriminal forums on the Dark Web. “They’re signing off and staying off,” said Mr. Liska. “We’re used to seeing these groups pop back up in different forms, but I’m not so sure we’re going to see REvil and DarkSide again.”
When asked at a news conference whether the Russian government condoned the effort to rein in ransomware criminals, or was cooperating in efforts to detain Mr. Polyanin, Mr. Garland said that he could not comment because the investigation was ongoing.
“We expect and hope that any government in which one of these actors is residing will do everything it can to provide that person to us for prosecution,” he said.
Last week, the Justice Department located a Russian cybercriminal who was hiding out South Korea, and the department worked with other governments to get the accused man into a U.S. courtroom, Deputy Attorney General Lisa O. Monaco said at the news conference announcing the indictments.
The enforcement actions undertaken last week and on Monday show that “we’ll use all tools and partners to hold accountable bad actors,” Ms. Monaco said.
The Justice Department said that it would continue to escalate its fight against cybercrime, which it sees as a serious economic and national security threat. In an interview last week with the Associated Press, Ms. Monaco said that more arrests and seizures of ransom payments were imminent.
But even as cybersecurity experts applauded the latest moves against REvil and its affiliates on Monday, other ransomware gangs continued to attack American cities, counties and even police departments.
Just after the Justice Department announced its latest charges on Monday, a ransomware gang called Pysa — the subject of an F.B.I. warning last year — started leaking data from more than 50 new victims. Among them were the town of Bridgeport, W. Va., and a school in Omaha. Another ransomware group, called Grief, hit a police department in Fulton, N.Y.
The latest targets did not immediately respond to requests for comment.