U.S. Ransomware Attack Suspect Hails From a Small Ukrainian Town
(Bloomberg) -- Dubrovytsia is a small town near Ukraine’s northern border with Belarus that boasts a Nobel laureate, physicist Georges Charpak, and a high school that attracts tech-savvy teenagers interested in math and computer science.
Dubrovytsia is also the hometown of Yaroslav Vasinskyi, who U.S. authorities have accused of executing ransomware attacks using malware from a Russia-linked cybergang known as REvil, or Sodinokibi. Among the most prolific ransomware gangs in recent years, REvil is also accused of the May attack on meatpacking giant JBS SA, and took credit for the hack of Apple supplier Quanta Computer Inc.
By then, Vasinskyi was in custody, having been arrested on Oct. 8 as he was crossing the border between Ukraine and Poland, where he went to college and has lived since 2016. A court in Lublin ruled on Tuesday that Vasinskyi can be extradited to the U.S. His lawyer, Leszek Cichon, declined to say whether he’ll appeal and said his client doesn’t want to be interviewed.
The 21-page indictment leaves open the question of how a computer-savvy teenager from small-town Ukraine became an alleged ransomware hacker.
On social media, and back in his hometown, Vasinskyi has discussed his interests and future aspirations -- a teenage computer whiz and basketball fan who wanted out of Dubrovytsia.
“I want to go abroad and never come back,” Vasinskyi wrote on what appears to be his Vkontakte account on July 22, 2013, when he was 13. A year later, in what may be little more than teenage bravado, he wrote, “If they tell you nasty things about me, believe every word.”
A former teacher, headmaster and a schoolmate described him as quiet and friendly.
By the time he was in high school, Vasinskyi could easily disable the protection installed on the students’ personal computers and switch off the teacher’s remote control without knowing the password, a former teacher said. “He didn’t like to be told what to do,” said Serhiy Beresten, 32, who taught Vasinskyi computer programming. Vasinskyi also won several prizes in computer science competitions.
“He was something of a genius, a man who saw each task his own way,” Beresten said. “He has always had his own point of view. When I was giving an assignment he tried to solve it in a different way.”
In his senior classes, Vasinskyi began to work, repairing mobile phones and building websites as a freelancer, which allowed him to earn money to pay for college in Lublin, which is located in eastern Poland, according to his teacher.
In recent years, Vasinskyi did some freelance work for a company called Liga Inform, a news website founded in 2017, according to Oleksandr Kulik, 22, the founder and editor. Vasinskyi worked as a stringer remotely from Poland “collecting information” for the media, Kulik said in an interview. He declined to provide more details on Vasinskyi’s work, citing confidentiality and safety reasons.
Kulik said he wasn’t aware of any wrongdoing by Vasinskyi and said he wasn’t responsible for how the publication’s journalists spend their spare time.
Liga Inform uses a similar name as an unrelated and well-established Kyiv-based web publication, and Kulik’s company has been accused of selling fake press credentials. Asked about the allegation, Kulik said the company gives press cards to all people who want “to make their contribution to the development of independent media in Ukraine” and to fight corruption.
Recent postings on what appear to be Vasinskyi’s social media accounts suggest he’s thrived while living in Poland, showing off a Mercedes car and pictures from Milan and Paris. In January, he published a video on Facebook from Maldives taking a spa bath with a young woman in a pool full of flowers.
By this time, according to prosecutors, his hacking career was in full swing. According to his indictment, from early March 2019 through August 2021, Vasinskyi and conspirators accessed the computer networks of nearly a dozen organizations, mostly companies, in Texas and elsewhere, and deployed ransomware.
In several instances, after hacking into the computers of a company, Vasinskyi and his conspirators also allegedly infiltrated its customers’ networks, vastly expanding the pool of victims.
Ransomware is a type of cyberattack in which hackers encrypt a victim’s computers and then demand payment to unlock them. Such attacks have thrived in recent years because they are so lucrative and because the hackers, many of them based in Russia, have little chance of being caught.
Some of the biggest ransomware gangs, including REvil, have sold their malware to so-called affiliates, who then execute the attacks in what is known as the “ransomware-as-a-service” model. The indictment suggests that Vasinskyi was working as an affiliate.
The document says that Vasinskyi, who used such monikers as Yarik45, Yaroslav2468 and Rabotnik (“worker” in Russian), and co-conspirators accessed internal computer networks of various firms without authorization and deployed Sodinokibi ransomware, which encrypted computers. After that, the suspects allegedly demanded ransom to decrypt the data, which in one case reached as much as $700,000.
The indictment provides some details about how Vasinskyi allegedly made contact with REvil.
In the beginning of July, 2019 a conspirator using the moniker “Unknown” posted an advertisement soliciting individuals to interview to become affiliates for the distribution of Sodinokibi ransomware, according to the indictment. The affiliate would initially receive 60%, and then 70% after three ransom payments.
In the middle of December that year, Vasinskyi sent a message on a criminal forum to “Unknown,” according to the indictment. He wrote, in Russian, “Hello, this is rabotnik. I want to return to work.”
‘Law and Geography’
Vasinskyi was arrested in Dorohusk, a village located on the Polish and Ukrainian border, according to Polish authorities. Police seized $10,000 during his arrest, according to Cyberscoop. He is expected to be extradited because unlike Ukraine, Poland has such a treaty with the U.S.
In announcing Vasinskyi’s indictment, U.S. prosecutors also said they had also charged a Russian national Yevgeniy Polyanin with conducting REvil ransomware attacks. The Department of Justice said that it had seized $6.1 million in funds traceable to alleged ransom payments received by Polyanin, a resident of the Siberian city of Barnaul. Polyanin, who remains at large, couldn’t be located for comment.
Ukraine’s and Poland’s cyberpolice declined to comment. REvil, meanwhile, appears to be closed down, following actions by U.S. Cyber Command and a foreign government against the ransomware gang, according to the Washington Post.
“In other circumstances I would be proud of such a student,” said Beresten, the teacher. “As one of my colleagues said he was taught computer science well, but was taught fundamentals of law and geography badly.”
©2021 Bloomberg L.P.