11th November 2021

US Seizes $6m and Sanctions Ransomware Operators and Crypto Exchanges in New Crackdown

New sanctions against ransomware operators and crypto exchanges, along with the seizure of $6.1m in funds tied to ransom payments, have marked an escalation in the US government’s crackdown on hackers and anti-money laundering.

The US Department of the Treasury announced a set of actions focused on disrupting criminal ransomware infrastructure and virtual exchanges to launder the proceeds of ransomware.

A Ukrainian national, Yaroslav Vasinskyi, and a Russian, Yevgeniy Polyanin were sanctioned by the Office of Foreign Assets Control (OFAC) for their part in perpetuating Sodinokibi/REvil ransomware incidents against the United States, and virtual currency exchange Chatex was sanctioned for facilitating financial transactions for ransomware actors.

Analysis of Chatex’s known transactions shows that over half are directly traceable to illicit or high-risk activities such as darknet markets, high-risk exchanges, and ransomware. It also has direct ties with SUEX OTC, using its function as a nested exchange to conduct transactions. In September, Suex became the first virtual currency exchange to be sanctioned by the US, for laundering cyber ransoms.

IZIBITS OU, Chatextech SIA, and Hightrade Finance Ltd, who set up infrastructure for Chatex, enabling Chatex operations, are also sanctioned, and Latvian government authorities have suspended the operations of Chatextech in their country.

“Unprincipled virtual currency exchanges like Chatex are critical to the profitability of ransomware activities, especially by laundering and cashing out the proceeds for criminals,” the Treasury statement says.

The same day, the US Justice Department (DOJ) announced it had seized $6.1m in relation to Polyanin, and that Vasinskyi has been arrested in Poland and extradition has been requested.

The Department of State had offered a Transnational Organized Crime Reward of up to $10m for information leading to the identification or location of any individual(s) who hold a key leadership position in the Sodinokibi/REvil ransomware variant transnational organized crime group.

It also offered a reward of up to $5m for information leading to the arrest and/or conviction in any country of any individual conspiring to participate in or attempting to participate in a Sodinokibi variant ransomware incident.

A Financial Crimes Enforcement Network (FinCEN) report identified DarkSide (which perpetrated an attack that disrupted Colonial Pipeline, causing widespread US gasoline shortages in May) and Sodinokibi/REvil as among the most costly ransomware variants in the first half of 2021. During this time, 458 ransomware-related transactions were reported, with a total value of $590m.

“Our message to ransomware criminals is clear: If you target victims here, we will target you,” said Deputy Attorney General Monaco, in response to the DOJ announcement. “The Sodinokibi/REvil ransomware group attacks companies and critical infrastructures around the world, and today’s announcements showed how we will fight back.

“Criminals now know we will take away your profits, your ability to travel, and – ultimately – your freedom. Together with our partners at home and abroad, the Department will continue to dismantle ransomware groups and disrupt the cybercriminal ecosystem that allows ransomware to exist and to threaten all of us.”

Vasinskyi has been charged with conducting ransomware attacks against multiple victims, including the July 2021 attack against Kaseya, a multinational information technology software company. Polyanin is also charged with conducting Sodinokibi/REvil ransomware attacks against multiple victims, including businesses and government entities in Texas in August 2019.

According to the indictments, Vasinskyi and Polyanin accessed the internal computer networks of several victim companies and deployed Sodinokibi/REvil ransomware to encrypt the data on the computers of victim companies.

“Ransomware can cripple a business in a matter of minutes. These two defendants deployed some of the internet’s most virulent code, authored by REvil, to hijack victim computers,” said Acting US Attorney Chad E Meacham for the Northern District of Texas.

“The Department will delve into the darkest corners of the internet and the furthest reaches of the globe to track down cybercriminals.”

Vasinskyi and Polyanin are charged in separate indictments with conspiracy to commit fraud and related activity in connection with computers, substantive counts of damage to protected computers, and conspiracy to commit money laundering. If convicted of all counts, each faces a maximum penalty of 115 and 145 years in prison, respectively.

The $6.1m seized from Polyanin is alleged to be traceable to ransomware attacks and money laundering committed by Polyanin through his use of Sodinokibi/REvil ransomware.

Ransomware SAR filing best practice 

This is a major success for the DOJ’s Ransomware and Digital Extortion Task Force – which was only launched in April – as the US deals with an upswing in digital extortion demands. Reported ransomware payments rose to $590m in the first half of 2021, compared to a total of $416m in 2020.

In addition, FinCEN has released an update to its 2020 Advisory on ‘Ransomware and the Use of the Financial System to Facilitate Ransom Payments’.

The updated advisory reflects information released by FinCEN in its Financial Trend Analysis Report and includes information on current trends and typologies of ransomware and associated payments, as well as recent examples of ransomware incidents.

It also sets out red flag indicators of ransomware-related illicit activity to help compliance teams identify and report suspicious transactions associated with ransomware payments, consistent with their obligations under the Bank Secrecy Act.

Particularly relevant for compliance staff is a section on what to include in suspicious activity reports (SARs), including IP addresses and wallet addresses, and the importance of including key terms such as ‘immediate attention’ and ‘ransomware’.

The DOJ and the Department of Homeland Security (DHS) have also launched a new website to combat the threat of ransomware. StopRansomware.gov is a one-stop hub for ransomware resources for individuals, businesses, and other organizations, to help mitigate ransomware risk.

Read more about global sanctions trends in our 2021 report.