A Ukrainian national has been sentenced to more than 13 years in prison and ordered to pay $16 million in restitution for carrying out thousands of ransomware attacks and extorting victims.
Yaroslav Vasinskyi (aka Rabotnik), 24, along with his co-conspirators part of the REvil ransomware group orchestrated more than 2,500 ransomware attacks and demanded ransom payments in cryptocurrency totaling more than $700 million.
"The co-conspirators demanded ransom payments in cryptocurrency and used cryptocurrency exchangers and mixing services to hide their ill-gotten gains," the U.S. Department of Justice (DoJ) said.
"To drive their ransom demands higher, Sodinokibi/REvil co-conspirators also publicly exposed their victims' data when victims would not pay ransom demands."
Vasinskyi was extradited to the U.S. in March 2022 following his arrest in Poland in October 2021. REvil, prior to formally going offline in late 2021, was responsible for a series of high-profile attacks on JBS and Kaseya.
He previously pleaded guilty in the Northern District of Texas to an 11-count indictment charging him with conspiracy to commit fraud and related activity in connection with computers, damage to protected computers, and conspiracy to commit money laundering.
The Justice Department said it also obtained the final forfeiture of millions of dollars' worth of ransom payments obtained through two related civil forfeiture cases in 2023. This includes 39.89138522 Bitcoin and $6.1 million in U.S. dollar funds that have been traced back to alleged ransom payments received by other members of the conspiracy.
Vasinskyi, alongside Russian national Yevgeniy Polyanin, was sanctioned by the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) in November 2021 as part of broader government-wide efforts to combat ransomware.
The development comes weeks after the DoJ indicted a 37-year-old Moldovan national, Alexander Lefterov (aka Alipako, Uptime, and Alipatime), for operating a botnet comprising thousands of infected computers across the U.S. from March 2021 through November 2021, which were then monetized by selling the access to other threat actors to distribute malware, including ransomware.
"Lefterov and his co-conspirators stole victims' login credentials – i.e., usernames and passwords—from the infected computers and then used the credentials to gain access to victim accounts at financial institutions, payment processers, and retail establishments as means to steal money from the victims," the agency said.
Court documents show that the compromised computers could be accessed directly using a hidden virtual network computing (hVNC) server without the victims' knowledge, thereby allowing Lefterov et al to sign in to their online accounts.