arstechnica.com Open in urlscan Pro
3.14.94.35  Public Scan

Form analysis
2 forms found in the DOM

GET /search/

<form action="/search/" method="GET" id="search_form">
  <input type="hidden" name="ie" value="UTF-8">
  <input type="text" name="q" id="hdr_search_input" value="" aria-label="Search..." placeholder="Search...">
</form>

POST https://arstechnica.com/civis/ucp.php?mode=login

<form id="login-form" action="https://arstechnica.com/civis/ucp.php?mode=login" method="post">
  <input type="text" name="username" id="username" placeholder="Username or Email" aria-label="Username or Email">
  <input type="password" name="password" id="password" placeholder="Password" aria-label="Password">
  <input type="submit" value="Submit" class="button button-orange button-wide" name="login">
  <label id="remember-label">
    <input type="checkbox" name="autologin" id="autologin"> Stay logged in</label> <span>|</span> <a href="/civis/ucp.php?mode=sendpassword" data-uri="53ec6d3f65bb7762a489b7a13824e81f">Having trouble?</a>
  <input type="hidden" name="redirect" value="./ucp.php?mode=login&amp;autoredirect=1&amp;return_to=%2Finformation-technology%2F2022%2F03%2Ffeds-extradite-ransomware-suspects-from-2-prolific-gangs-in-a-single-week%2F">
  <input type="hidden" name="return_to" value="/information-technology/2022/03/feds-extradite-ransomware-suspects-from-2-prolific-gangs-in-a-single-week/">
  <input type="hidden" name="from_homepage" value="1">
</form>

Text Content

Skip to main content
 * Biz & IT
 * Tech
 * Science
 * Policy
 * Cars
 * Gaming & Culture
 * Store
 * Forums

Subscribe

Close


NAVIGATE

 * Store
 * Subscribe
 * Videos
 * Features
 * Reviews

 * RSS Feeds
 * Mobile Site

 * About Ars
 * Staff Directory
 * Contact Us

 * Advertise with Ars
 * Reprints


FILTER BY TOPIC

 * Biz & IT
 * Tech
 * Science
 * Policy
 * Cars
 * Gaming & Culture
 * Store
 * Forums


SETTINGS

Front page layout


Grid


List


Site theme

Black on white

White on black

Sign in


COMMENT ACTIVITY

Sign up or login to join the discussions!

Stay logged in | Having trouble?
Sign up to comment and more Sign up

COMING TO AMERICA —


FEDS EXTRADITE RANSOMWARE SUSPECTS FROM 2 PROLIFIC GANGS IN A SINGLE WEEK


MAN ARRIVING FROM UKRAINE ACCUSED OF CAUSING KASEYA SUPPLY CHAIN ATTACK.

Dan Goodin - 3/10/2022, 10:01 PM

Enlarge
Getty Images / iStock

READER COMMENTS

41 with 33 posters participating

SHARE THIS STORY

 * Share on Facebook
 * Share on Twitter
 * Share on Reddit

Federal prosecutors extradited two suspected ransomware operators, including a
man they said was responsible for an intrusion that infected as many as 1,500
organizations in a single stroke, making it one of the worst supply chain
attacks ever.

Yaroslav Vasinskyi, 22, was arrested last August as he crossed from his native
country of Ukraine into Poland. This week, he was extradited to the US to face
charges that carry a maximum penalty of 115 years in prison. Vasinskyi arrived
in Dallas, Texas, on March 3 and was arraigned on Wednesday.


FIRST UP: SODINOKIBI/REVIL

In an indictment, prosecutors said that Vasinskyi is responsible for the July 2,
2021, attack that first struck remote-management-software seller Kaseya and then
caused its infrastructure to infect 800 to 1,500 organizations that relied on
the Kaseya software. Sodinokibi/REvil, the ransomware group Vasinskyi allegedly
worked for or partnered with, demanded $70 million for a universal decryptor
that would restore all victims’ data.




FURTHER READING

Up to 1,500 businesses infected in one of the worst ransomware attacks ever
The tactics, techniques, and procedures used in the Kaseya supply chain attack
were impressive. The attack started by exploiting a zero-day vulnerability in
Kaseya’s VSA remote management service, which the company says is used by 35,000
customers. The group stole a legitimate software-signing certificate and used it
to digitally sign the malware. This allowed the group to suppress security
warnings that would have otherwise appeared when the malware was being
installed.



To add further stealth, the attackers used a technique called DLL side-loading,
which places a spoofed malicious DLL file in a Windows’ WinSxS directory so that
the operating system loads the spoof instead of the legitimate file. The hackers
in the Kaseya campaign dropped an outdated file version that remained vulnerable
to the side-loading of “msmpeng.exe,” which is the file for the Windows Defender
executable.

Federal prosecutors allege that Vasinskyi caused the deployment of malicious
Sodinokibi/REvil code throughout Kaseya’s software build system to further
deploy REvil ransomware to endpoints on customer networks. Vasinskyi is charged
with conspiracy to commit fraud and related activity in connection with
computers, damage to protected computers, and conspiracy to commit money
laundering.

Advertisement





REMEMBER NETWALKER?

On Thursday, US prosecutors reported a second ransomware-related extradition,
this one against a Canadian man accused of participating in dozens of attacks
pushing the NetWalker ransomware.

Sebastien Vachon-Desjardins, 34, of Gatineau, Quebec, Canada, was arrested in
January 2021 on charges that he received more than $27 million in revenue
generated by NetWalker. The Justice Department said the defendant has now been
transferred to the US, and his case is being handled by the FBI’s field office
in Tampa, Florida.

NetWalker was an advanced and prolific group that operated under a RaaS—short
for "ransomware as a service"—model, meaning core members recruited affiliates
to use the NetWalker malware to infect targets. The affiliates would then split
any revenue generated with the organization. A blockchain analysis revealed that
between March and July of 2020, the group extorted a total of $25 million.
Victims included Trinity Metro, a transit agency in Texas that provides 8
million passenger trips annually, and the University of California, San
Francisco, which ended up paying a $1.14 million ransom.

NetWalker was a human-operated operation, meaning operators often spent days,
weeks, or even months establishing a foothold inside a targeted organization. In
January 2021, authorities in Bulgaria seized a website on the darknet that
NetWalker ransomware affiliates had used to communicate with victims. The
seizure was part of a coordinated international crackdown on NetWalker.

Vachon-Desjardins is charged with conspiracy to commit computer fraud and wire
fraud, intentional damage to a protected computer, and transmitting a demand in
relation to damaging a protected computer. Blockchain analysis firm Chainalysis
said transactions it tracked show that the Canadian man also helped push RaaS
strains Sodinokibi, Suncrypt, and Ragnarlocker.

This week’s extraditions are part of a string of successes that law enforcement
authorities have had in recent weeks. Last June, the FBI said it seized $2.3
million paid to the ransomware attackers who paralyzed the network of Colonial
Pipeline a month earlier and touched off gasoline and jet fuel supply
disruptions up and down the East Coast. The website for Darkside, the ransomware
group behind the intrusion, also went down around the same time.


ARS VIDEO


HOW THE NES CONQUERED A SKEPTICAL AMERICA IN 1985




READER COMMENTS

41 with 33 posters participating

SHARE THIS STORY

 * Share on Facebook
 * Share on Twitter
 * Share on Reddit

Dan Goodin Dan is the Security Editor at Ars Technica, which he joined in 2012
after working for The Register, the Associated Press, Bloomberg News, and other
publications.
Email dan.goodin@arstechnica.com // Twitter @dangoodin001

Advertisement


You must login or create an account to comment.




CHANNEL ARS TECHNICA

UNSOLVED MYSTERIES OF QUANTUM LEAP WITH DONALD P. BELLISARIO

Today "Quantum Leap" series creator Donald P. Bellisario joins Ars Technica to
answer once and for all the lingering questions we have about his enduringly
popular show. Was Dr. Sam Beckett really leaping between all those time periods
and people or did he simply imagine it all? What do people in the waiting room
do while Sam is in their bodies? What happens to Sam's loyal ally Al? 30 years
following the series finale, answers to these mysteries and more await.

 * UNSOLVED MYSTERIES OF QUANTUM LEAP WITH DONALD P. BELLISARIO

 * UNSOLVED MYSTERIES OF WARHAMMER 40K WITH AUTHOR DAN ABNETT

 * SITREP: F-16 REPLACEMENT SEARCH A SIGNAL OF F-35 FAIL?

 * SITREP: BOEING 707

 * STEVE BURKE OF GAMERSNEXUS REACTS TO THEIR TOP 1000 COMMENTS ON YOUTUBE

 * MODERN VINTAGE GAMER REACTS TO HIS TOP 1000 COMMENTS ON YOUTUBE

 * HOW THE NES CONQUERED A SKEPTICAL AMERICA IN 1985

 * SCOTT MANLEY REACTS TO HIS TOP 1000 YOUTUBE COMMENTS

 * HOW HORROR WORKS IN AMNESIA: REBIRTH, SOMA AND AMNESIA: THE DARK DESCENT

 * LGR'S CLINT BASINGER REACTS TO HIS TOP 1000 YOUTUBE COMMENTS

 * THE F-35'S NEXT TECH UPGRADE

 * HOW ONE GAMEPLAY DECISION CHANGED DIABLO FOREVER

 * UNSOLVED MORTAL KOMBAT MYSTERIES WITH DOMINIC CIANCIOLO FROM NETHERREALM
   STUDIOS

 * US NAVY GETS AN ITALIAN ACCENT

 * HOW AMAZON’S “UNDONE” ANIMATES DREAMS WITH ROTOSCOPING AND OIL PAINTS

 * FIGHTER PILOT BREAKS DOWN EVERY BUTTON IN AN F-15 COCKPIT

 * HOW NBA JAM BECAME A BILLION-DOLLAR SLAM DUNK

 * LINUS "TECH TIPS" SEBASTIAN REACTS TO HIS TOP 1000 YOUTUBE COMMENTS

 * HOW ALAN WAKE WAS REBUILT 3 YEARS INTO DEVELOPMENT

 * HOW PRINCE OF PERSIA DEFEATED APPLE II'S MEMORY LIMITATIONS

 * HOW CRASH BANDICOOT HACKED THE ORIGINAL PLAYSTATION

 * MYST: THE CHALLENGES OF CD-ROM | WAR STORIES

 * MARKIPLIER REACTS TO HIS TOP 1000 YOUTUBE COMMENTS

 * HOW MIND CONTROL SAVED ODDWORLD: ABE'S ODDYSEE

 * BIOWARE ANSWERS UNSOLVED MYSTERIES OF THE MASS EFFECT UNIVERSE

 * CIVILIZATION: IT'S GOOD TO TAKE TURNS | WAR STORIES

 * SITREP: DOD RESETS BALLISTIC MISSILE INTERCEPTOR PROGRAM

 * WARFRAME'S REBECCA FORD REVIEWS YOUR CHARACTERS

 * SUBNAUTICA: A WORLD WITHOUT GUNS | WAR STORIES

 * HOW SLAY THE SPIRE’S ORIGINAL INTERFACE ALMOST KILLED THE GAME | WAR STORIES

 * AMNESIA: THE DARK DESCENT - THE HORROR FACADE | WAR STORIES

 * COMMAND & CONQUER: TIBERIAN SUN | WAR STORIES

 * BLADE RUNNER: SKINJOBS, VOXELS, AND FUTURE NOIR | WAR STORIES

 * DEAD SPACE: THE DRAG TENTACLE | WAR STORIES

 * TEACH THE CONTROVERSY: FLAT EARTHERS

 * DELTA V: THE BURGEONING WORLD OF SMALL ROCKETS, PAUL ALLEN'S HUGE PLANE, AND
   SPACEX GETS A CRUCIAL GREEN-LIGHT

 * CHRIS HADFIELD EXPLAINS HIS 'SPACE ODDITY' VIDEO

 * THE GREATEST LEAP, EPISODE 1: RISK

 * ULTIMA ONLINE: THE VIRTUAL ECOLOGY | WAR STORIES

More videos
← Previous story Next story →


RELATED STORIES

Sponsored Stories
We are selling off our remaining magic metal windmills. acsthper
The New Comfortable Mask Is Taking Montreal By Storm Hilipert™ KF94 MASK
2022 GMC Lineup Is A+ All Things Auto | Search ads
Montreal: Unsold 2021 Trucks Now Almost Being Given Away: See Prices New Truck
Deals | Search Ads
We Need These Japanese Inventions In The US Investing.com
Most Canadians Didn't Know How To Block Ads (Do It Now) Safe Life Tips
Recommended by



TODAY ON ARS

 * Store
 * Subscribe
 * About Us
 * RSS Feeds
 * View Mobile Site

 * Contact Us
 * Staff
 * Advertise with us
 * Reprints


NEWSLETTER SIGNUP

Join the Ars Orbital Transmission mailing list to get weekly updates delivered
to your inbox.

Sign me up →

CNMN Collection
WIRED Media Group
© 2022 Condé Nast. All rights reserved. Use of and/or registration on any
portion of this site constitutes acceptance of our User Agreement (updated
1/1/20) and Privacy Policy and Cookie Statement (updated 1/1/20) and Ars
Technica Addendum (effective 8/21/2018). Ars may earn compensation on sales from
links on this site. Read our affiliate link policy.
Your California Privacy Rights | Cookies Settings
The material on this site may not be reproduced, distributed, transmitted,
cached or otherwise used, except with the prior written permission of Condé
Nast.
Ad Choices