arstechnica.com
Open in
urlscan Pro
3.14.94.35
Public Scan
URL:
https://arstechnica.com/information-technology/2022/03/feds-extradite-ransomware-suspects-from-2-prolific-gangs-in-a-sin...
Submission: On March 11 via manual from CA — Scanned from CA
Submission: On March 11 via manual from CA — Scanned from CA
Form analysis
2 forms found in the DOMGET /search/
<form action="/search/" method="GET" id="search_form">
<input type="hidden" name="ie" value="UTF-8">
<input type="text" name="q" id="hdr_search_input" value="" aria-label="Search..." placeholder="Search...">
</form>
POST https://arstechnica.com/civis/ucp.php?mode=login
<form id="login-form" action="https://arstechnica.com/civis/ucp.php?mode=login" method="post">
<input type="text" name="username" id="username" placeholder="Username or Email" aria-label="Username or Email">
<input type="password" name="password" id="password" placeholder="Password" aria-label="Password">
<input type="submit" value="Submit" class="button button-orange button-wide" name="login">
<label id="remember-label">
<input type="checkbox" name="autologin" id="autologin"> Stay logged in</label> <span>|</span> <a href="/civis/ucp.php?mode=sendpassword" data-uri="53ec6d3f65bb7762a489b7a13824e81f">Having trouble?</a>
<input type="hidden" name="redirect" value="./ucp.php?mode=login&autoredirect=1&return_to=%2Finformation-technology%2F2022%2F03%2Ffeds-extradite-ransomware-suspects-from-2-prolific-gangs-in-a-single-week%2F">
<input type="hidden" name="return_to" value="/information-technology/2022/03/feds-extradite-ransomware-suspects-from-2-prolific-gangs-in-a-single-week/">
<input type="hidden" name="from_homepage" value="1">
</form>
Text Content
Skip to main content * Biz & IT * Tech * Science * Policy * Cars * Gaming & Culture * Store * Forums Subscribe Close NAVIGATE * Store * Subscribe * Videos * Features * Reviews * RSS Feeds * Mobile Site * About Ars * Staff Directory * Contact Us * Advertise with Ars * Reprints FILTER BY TOPIC * Biz & IT * Tech * Science * Policy * Cars * Gaming & Culture * Store * Forums SETTINGS Front page layout Grid List Site theme Black on white White on black Sign in COMMENT ACTIVITY Sign up or login to join the discussions! Stay logged in | Having trouble? Sign up to comment and more Sign up COMING TO AMERICA — FEDS EXTRADITE RANSOMWARE SUSPECTS FROM 2 PROLIFIC GANGS IN A SINGLE WEEK MAN ARRIVING FROM UKRAINE ACCUSED OF CAUSING KASEYA SUPPLY CHAIN ATTACK. Dan Goodin - 3/10/2022, 10:01 PM Enlarge Getty Images / iStock READER COMMENTS 41 with 33 posters participating SHARE THIS STORY * Share on Facebook * Share on Twitter * Share on Reddit Federal prosecutors extradited two suspected ransomware operators, including a man they said was responsible for an intrusion that infected as many as 1,500 organizations in a single stroke, making it one of the worst supply chain attacks ever. Yaroslav Vasinskyi, 22, was arrested last August as he crossed from his native country of Ukraine into Poland. This week, he was extradited to the US to face charges that carry a maximum penalty of 115 years in prison. Vasinskyi arrived in Dallas, Texas, on March 3 and was arraigned on Wednesday. FIRST UP: SODINOKIBI/REVIL In an indictment, prosecutors said that Vasinskyi is responsible for the July 2, 2021, attack that first struck remote-management-software seller Kaseya and then caused its infrastructure to infect 800 to 1,500 organizations that relied on the Kaseya software. Sodinokibi/REvil, the ransomware group Vasinskyi allegedly worked for or partnered with, demanded $70 million for a universal decryptor that would restore all victims’ data. FURTHER READING Up to 1,500 businesses infected in one of the worst ransomware attacks ever The tactics, techniques, and procedures used in the Kaseya supply chain attack were impressive. The attack started by exploiting a zero-day vulnerability in Kaseya’s VSA remote management service, which the company says is used by 35,000 customers. The group stole a legitimate software-signing certificate and used it to digitally sign the malware. This allowed the group to suppress security warnings that would have otherwise appeared when the malware was being installed. To add further stealth, the attackers used a technique called DLL side-loading, which places a spoofed malicious DLL file in a Windows’ WinSxS directory so that the operating system loads the spoof instead of the legitimate file. The hackers in the Kaseya campaign dropped an outdated file version that remained vulnerable to the side-loading of “msmpeng.exe,” which is the file for the Windows Defender executable. Federal prosecutors allege that Vasinskyi caused the deployment of malicious Sodinokibi/REvil code throughout Kaseya’s software build system to further deploy REvil ransomware to endpoints on customer networks. Vasinskyi is charged with conspiracy to commit fraud and related activity in connection with computers, damage to protected computers, and conspiracy to commit money laundering. Advertisement REMEMBER NETWALKER? On Thursday, US prosecutors reported a second ransomware-related extradition, this one against a Canadian man accused of participating in dozens of attacks pushing the NetWalker ransomware. Sebastien Vachon-Desjardins, 34, of Gatineau, Quebec, Canada, was arrested in January 2021 on charges that he received more than $27 million in revenue generated by NetWalker. The Justice Department said the defendant has now been transferred to the US, and his case is being handled by the FBI’s field office in Tampa, Florida. NetWalker was an advanced and prolific group that operated under a RaaS—short for "ransomware as a service"—model, meaning core members recruited affiliates to use the NetWalker malware to infect targets. The affiliates would then split any revenue generated with the organization. A blockchain analysis revealed that between March and July of 2020, the group extorted a total of $25 million. Victims included Trinity Metro, a transit agency in Texas that provides 8 million passenger trips annually, and the University of California, San Francisco, which ended up paying a $1.14 million ransom. NetWalker was a human-operated operation, meaning operators often spent days, weeks, or even months establishing a foothold inside a targeted organization. In January 2021, authorities in Bulgaria seized a website on the darknet that NetWalker ransomware affiliates had used to communicate with victims. The seizure was part of a coordinated international crackdown on NetWalker. Vachon-Desjardins is charged with conspiracy to commit computer fraud and wire fraud, intentional damage to a protected computer, and transmitting a demand in relation to damaging a protected computer. Blockchain analysis firm Chainalysis said transactions it tracked show that the Canadian man also helped push RaaS strains Sodinokibi, Suncrypt, and Ragnarlocker. This week’s extraditions are part of a string of successes that law enforcement authorities have had in recent weeks. Last June, the FBI said it seized $2.3 million paid to the ransomware attackers who paralyzed the network of Colonial Pipeline a month earlier and touched off gasoline and jet fuel supply disruptions up and down the East Coast. The website for Darkside, the ransomware group behind the intrusion, also went down around the same time. ARS VIDEO HOW THE NES CONQUERED A SKEPTICAL AMERICA IN 1985 READER COMMENTS 41 with 33 posters participating SHARE THIS STORY * Share on Facebook * Share on Twitter * Share on Reddit Dan Goodin Dan is the Security Editor at Ars Technica, which he joined in 2012 after working for The Register, the Associated Press, Bloomberg News, and other publications. Email dan.goodin@arstechnica.com // Twitter @dangoodin001 Advertisement You must login or create an account to comment. CHANNEL ARS TECHNICA UNSOLVED MYSTERIES OF QUANTUM LEAP WITH DONALD P. BELLISARIO Today "Quantum Leap" series creator Donald P. Bellisario joins Ars Technica to answer once and for all the lingering questions we have about his enduringly popular show. Was Dr. Sam Beckett really leaping between all those time periods and people or did he simply imagine it all? What do people in the waiting room do while Sam is in their bodies? What happens to Sam's loyal ally Al? 30 years following the series finale, answers to these mysteries and more await. * UNSOLVED MYSTERIES OF QUANTUM LEAP WITH DONALD P. BELLISARIO * UNSOLVED MYSTERIES OF WARHAMMER 40K WITH AUTHOR DAN ABNETT * SITREP: F-16 REPLACEMENT SEARCH A SIGNAL OF F-35 FAIL? * SITREP: BOEING 707 * STEVE BURKE OF GAMERSNEXUS REACTS TO THEIR TOP 1000 COMMENTS ON YOUTUBE * MODERN VINTAGE GAMER REACTS TO HIS TOP 1000 COMMENTS ON YOUTUBE * HOW THE NES CONQUERED A SKEPTICAL AMERICA IN 1985 * SCOTT MANLEY REACTS TO HIS TOP 1000 YOUTUBE COMMENTS * HOW HORROR WORKS IN AMNESIA: REBIRTH, SOMA AND AMNESIA: THE DARK DESCENT * LGR'S CLINT BASINGER REACTS TO HIS TOP 1000 YOUTUBE COMMENTS * THE F-35'S NEXT TECH UPGRADE * HOW ONE GAMEPLAY DECISION CHANGED DIABLO FOREVER * UNSOLVED MORTAL KOMBAT MYSTERIES WITH DOMINIC CIANCIOLO FROM NETHERREALM STUDIOS * US NAVY GETS AN ITALIAN ACCENT * HOW AMAZON’S “UNDONE” ANIMATES DREAMS WITH ROTOSCOPING AND OIL PAINTS * FIGHTER PILOT BREAKS DOWN EVERY BUTTON IN AN F-15 COCKPIT * HOW NBA JAM BECAME A BILLION-DOLLAR SLAM DUNK * LINUS "TECH TIPS" SEBASTIAN REACTS TO HIS TOP 1000 YOUTUBE COMMENTS * HOW ALAN WAKE WAS REBUILT 3 YEARS INTO DEVELOPMENT * HOW PRINCE OF PERSIA DEFEATED APPLE II'S MEMORY LIMITATIONS * HOW CRASH BANDICOOT HACKED THE ORIGINAL PLAYSTATION * MYST: THE CHALLENGES OF CD-ROM | WAR STORIES * MARKIPLIER REACTS TO HIS TOP 1000 YOUTUBE COMMENTS * HOW MIND CONTROL SAVED ODDWORLD: ABE'S ODDYSEE * BIOWARE ANSWERS UNSOLVED MYSTERIES OF THE MASS EFFECT UNIVERSE * CIVILIZATION: IT'S GOOD TO TAKE TURNS | WAR STORIES * SITREP: DOD RESETS BALLISTIC MISSILE INTERCEPTOR PROGRAM * WARFRAME'S REBECCA FORD REVIEWS YOUR CHARACTERS * SUBNAUTICA: A WORLD WITHOUT GUNS | WAR STORIES * HOW SLAY THE SPIRE’S ORIGINAL INTERFACE ALMOST KILLED THE GAME | WAR STORIES * AMNESIA: THE DARK DESCENT - THE HORROR FACADE | WAR STORIES * COMMAND & CONQUER: TIBERIAN SUN | WAR STORIES * BLADE RUNNER: SKINJOBS, VOXELS, AND FUTURE NOIR | WAR STORIES * DEAD SPACE: THE DRAG TENTACLE | WAR STORIES * TEACH THE CONTROVERSY: FLAT EARTHERS * DELTA V: THE BURGEONING WORLD OF SMALL ROCKETS, PAUL ALLEN'S HUGE PLANE, AND SPACEX GETS A CRUCIAL GREEN-LIGHT * CHRIS HADFIELD EXPLAINS HIS 'SPACE ODDITY' VIDEO * THE GREATEST LEAP, EPISODE 1: RISK * ULTIMA ONLINE: THE VIRTUAL ECOLOGY | WAR STORIES More videos ← Previous story Next story → RELATED STORIES Sponsored Stories We are selling off our remaining magic metal windmills. acsthper The New Comfortable Mask Is Taking Montreal By Storm Hilipert™ KF94 MASK 2022 GMC Lineup Is A+ All Things Auto | Search ads Montreal: Unsold 2021 Trucks Now Almost Being Given Away: See Prices New Truck Deals | Search Ads We Need These Japanese Inventions In The US Investing.com Most Canadians Didn't Know How To Block Ads (Do It Now) Safe Life Tips Recommended by TODAY ON ARS * Store * Subscribe * About Us * RSS Feeds * View Mobile Site * Contact Us * Staff * Advertise with us * Reprints NEWSLETTER SIGNUP Join the Ars Orbital Transmission mailing list to get weekly updates delivered to your inbox. Sign me up → CNMN Collection WIRED Media Group © 2022 Condé Nast. All rights reserved. Use of and/or registration on any portion of this site constitutes acceptance of our User Agreement (updated 1/1/20) and Privacy Policy and Cookie Statement (updated 1/1/20) and Ars Technica Addendum (effective 8/21/2018). Ars may earn compensation on sales from links on this site. Read our affiliate link policy. Your California Privacy Rights | Cookies Settings The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Condé Nast. Ad Choices