This week, the United States Department of Justice announced that it had taken actions against two foreign nationals who have been charged with deploying the Sodinokibi/REvil ransomware to attack businesses and government entities in the United States. In an indictment that was unsealed this week, charges were brought against Yaroslav Vasinskyi, 22, a Ukrainian national, with conducting ransomware attacks against multiple victims, including the July 2021 attack against Kaseya, a multi-national information technology software company.
Kaseya, which is headquartered in Dublin, Ireland and has its U.S. operations based out of Miami, said in July that approximately 50 of its direct customers were breached in the attack, but in turn, hundreds and possibly as many as 1,500 businesses may have been compromised, as Kaseya’s customers in turn provide IT services to small businesses. Those include a diverse mix of businesses from restaurants to accounting firms to small retailers. Upwards of 40,000 organizations worldwide use at least one Kaseya software solution.
The Justice Department also announced the seizure of $6.1 million in funds traceable to alleged ransom payments received by Yevgeniy Polyanin, 28, a Russian national, who was also charged with conducting Sodinokibi/REvil ransomware attacks against multiple victims, including businesses and government entities in Texas on or about Aug. 16, 2019. According to the indictments, Vasinskyi and Polyanin accessed the internal computer networks of several victim companies and deployed Sodinokibi/REvil ransomware to encrypt the data on the computers of victim companies.
“Cybercrime is a serious threat to our country: to our personal safety, to the health of our economy, and to our national security,” said Attorney General Merrick Garland. “Our message today is clear. The United States, together with our allies, will do everything in our power to identify the perpetrators of ransomware attacks, to bring them to justice, and to recover the funds they have stolen from their victims.”
Cyber criminals often feel a sense of security because they conduct their operations far from the reach of U.S. law enforcement, so this should be seen as a significant victory for the DoJ.
“The Justice Department seems to have a big win on its hands especially with the recovery of stolen funds,” said Bill Lawrence, chief information security officer (CISO) at cybersecurity firm SecurityGate. “This will keep criminals’ heads down and potentially mess with their holiday travel plans.”
However, because cyber crime can be conducted remotely, and often involves little violence, it will continue to be a significant threat.
“The private sector is extremely vulnerable to attacks such as ransomware and need to bolster protections, create backups and test recovery, and see if cyber insurance is an option,” Lawrence told ClearanceJobs.
International Efforts
Main Justice confirmed that in this case, Vasinskyi was taken into custody in Poland where he remains held by authorities pending proceedings in connection with the requested extradition to the United States, pursuant to the extradition treaty between the United States and the Republic of Poland.
In parallel with his arrest, interviews and searches were carried out in multiple countries, and the DoJ said this would not have been possible without the rapid response of the National Police of Ukraine and the Prosecutor General’s Office of Ukraine.
“This is an example of a great collaboration between local enforcement groups operating in different jurisdictions,” said Nasser Fattah, cybersecurity researcher and North America steering committee chair at Shared Assessments.
“We know that cybercriminals, by design, run their nefarious operations in geolocations free from or with very little interruptions from local authorities,” Fattah told ClearanceJobs. “This often makes tracking and capturing cybercriminals, as well as making appropriate seizures, very difficult to do. Local authorities are restricted – they need to operate within their jurisdiction. They must rely on effective collaboration with other regional authorities when the concern is manifesting from a location outside their jurisdiction.”
Could CMMC Help Provide Contractors?
The scope of last summer’s ransomware attack showed how even a client or vendor could be a weak link in an otherwise secure cybersecurity chain. The question is whether the Cybersecurity Maturity Model Certification (CMMC), which was designed to provide increased IT assurance across the Department of Defense (DoD), could help address such threats.
In theory, the CMMC is meant to put teeth into requirements to protect controlled unclassified information (CUI) and keep the cyber domain safe across government industry.
“Cybersecurity maturity models represent a good way of growing expertise and awareness within an organization, but they’re not a silver bullet,” explained Saryu Nayyar, CEO of the cybersecurity firm Gurucul.
“They define processes that can bring consistency to detection and response, but the cybersecurity problem remains much broader in scope,” she told ClearanceJobs. “The private sector absolutely remains vulnerable, and many traditional solutions simply aren’t keeping up with the growing threat.”
Whether in the public or private sector, it is necessary to maintain a constant level of due diligence when it comes to cybersecurity.
“Companies that perform risk assessments against well-established frameworks can find gaps, remediate them, and measure their maturity (increasing or decreasing) over time,” said Lawrence.
“The re-work of the CMMC framework should make it more accessible as well as strengthen its underpinnings by aligning it directly to NIST SP 800-171 and -172,” he noted. “Of course, risk assessments using any well-constructed framework are only as good as the people who use them, the resources they have, and the thoroughness of execution. These efforts are well geared towards finding the gaps in controls that allow ransomware to flourish and could make the difference for companies that will be targeted by other actors in the future.”
However, it will still require vigilance to help stop these attacks, and cooperation when it comes to catching and prosecuting those responsible.
“This arrest once again shows that many attacks come from around the world, and that the cooperation and coordination of many countries is needed in order to bring cybercriminals to justice,” added Nayyar. “The attack on organizations using Kaseya was huge in scope, making this a significant win for those who seek to protect our systems and software.”