Nov 8, 2021

DOJ Charges 2 Men in Ransomware Attacks Press Conference Transcript

DOJ Charges 2 Men in Ransomware Attacks Press Conference Transcript
RevBlogTranscriptsDOJ Charges 2 Men in Ransomware Attacks Press Conference Transcript

AG Merrick Garland and FBI Director Chris Wray announced charges in the July 4 ransomeware attack during a press conference on November 8, 2021. Read the transcript of the briefing here.

Transcribe Your Own Content

Try Rev and save time transcribing, captioning, and subtitling.

Speaker 1: (00:00)
… the Treasury, Wally Adeyemo. They will be joined on stage by Assistant Attorney General for the Criminal Division, Kenneth Polite; acting United States Attorney for the northern district of Texas, Chad Meacham; and Special Agent in Charge of the FBI Dallas field office, Matt DeSarno. Following our speakers remarks, they will be happy to answer your questions. With that, you can consider this your two minute warning.

Speaker 1: (00:24)

Attorney General Merrick Garland: (02:47)
Good afternoon. I’m joined today by Deputy Attorney General Monaco, FBI Director Wray and Deputy Treasury Secretary Adeyemo. A core priority of the Justice Department is to keep our country safe from all threats, foreign and domestic. Cyber crime is a serious threat to our country, to our personal safety, to the health of our economy, and to our national security. Cyber crime takes many forms, one of which is ransomware. In ransomware attacks, transnational cyber criminals use malicious software to hold digital systems hostage and demand a ransom. These attacks have targeted our critical infrastructure, law enforcement agencies, hospitals, schools, municipalities, and businesses of all sizes. Meeting this threat requires a whole of government approach. Together with our partners, the Justice Department is sparing no resource to identify and bring to justice anyone anywhere who targets the United States with a ransomware attack. Today, we are announcing that we are bringing to justice an alleged perpetrator of significant wide-reaching ransomware attack. On July 2nd, the multinational information software company Kaseya and its customers were attacked by one of the most prolific strains of ransomware, known as REvil or Sodinokibi.

Attorney General Merrick Garland: (04:17)
To date, REvil ransomware has been deployed on approximately 175,000 computers worldwide with at least $200 million paid in ransom. As a result of the Kaseya attack, businesses that relied on Kaseya services across the United States and around the world were impacted. Six weeks later, on August 11, the Justice Department indicted Yaroslav Vasinski, also known by the online moniker Robotnik. The indictment, which was previously under seal, charges him with conspiring to commit intentional damage to protected computers and to extort in relation to that damage, causing intentional damage to protected computers, and conspiring to commit money laundering. The indictment charges that Vasinski and co-conspirators authored REvil software, installed it on victim’s computers resulting in encryption of the victim’s data, including in the July 2nd attack, demanded ransomware payments from those victims, and then laundered those payments. Two months after the indictment, on October 8th, Vasinski crossed the border from Ukraine into Poland. There, upon our request, Polish authorities arrested him pursuant to a provisional arrest warrant.

Attorney General Merrick Garland: (05:44)
We have now requested that he be extradited from Poland to the United States pursuant to the extradition treaty between our countries. Today, we are unsealing Vasinski’s indictment. Vasinski’s arrest demonstrates how quickly we will act, alongside our international partners, to identify, locate and apprehend alleged cyber criminals no matter where they are located. Ransomware attacks are fueled by criminal profits. That is why we are not just pursuing the individuals responsible for those attacks. We are also committed to capturing their illicit profits and returning them, whenever we can, to the victims from whom they were extorted. And that brings me to our second announcement today. In addition to securing the arrest of Vasinski, the Justice Department has seized $6.1 million tied to the ransom proceeds of another alleged REvil ransomware attacker, Russian national Yevgeniy Polyanin.

Attorney General Merrick Garland: (06:50)
As set forth in the public filings related to the seizure, Polyanin, whom we also charged by indict, is alleged to have conducted approximately 3000 ransomware attacks. Polyanin’s ransomware attacks affected numerous companies and entities across the United States, including law enforcement agencies and municipalities throughout the state of Texas. Polyanin ultimately extorted approximately $13 million from his victims. We are also announcing the unsealing of an indictment against Polyanin. Like the indictment against Vasinski, he is charged with conspiring to commit intentional damage to protected computers and to extort in relation to that damage, causing intentional damage to protected computers, and conspiring to commit money laundering. Today., And now for the second time in five months, we announce the seizure of digital proceeds of ransomware deployed by a transnational criminal group. This will not be the last time. The US government will continue to aggressively pursue the entire ransomware ecosystem and increase our nation’s resilience to cyber threats. But while today’s announcements mark important successes, I want to emphasize that we all must play a role in improving our cyber defenses.

Attorney General Merrick Garland: (08:17)
This includes the American business community. Being vigilant and investing resources in cyber security should be a high profile priority for all of us. In addition, when ransomware attacks do occur, law enforcement’s ability to respond depends in large part on whether and how promptly the victim reports the attack. Failure to timely report also puts other potential victims into jeopardy. It deprives investigators of the information they need to forestall or mitigate other attacks. It is for this reason that we urge Congress to create a national standard for reporting significant cyber incidents, and to require that the report…

Attorney General Merrick Garland: (09:03)
… significant cyber incidents, and to require that the reported information be shared immediately with the Justice Department. Our message today is clear. The United States, together with our allies, will do everything in our power to identify the perpetrators of ransomware attacks, to bring them to justice, and to recover the funds they have stolen from the American people.

Attorney General Merrick Garland: (09:27)
Over the past seven months, the Justice Department has sharpened the tools at our disposal to investigate and prosecute ransomware attacks. We have created the DOJ Ransomware and Digital Extortion Task Force, as directed by the Attorney General, which includes the Criminal Division, the National Security Division, the Executive Office of United States Attorneys, the Civil Division, and the Federal Bureau of Investigation.

Attorney General Merrick Garland: (09:55)
I would like to thank all of our partners who have assisted in this effort, including CISA, the Treasury Department and the State Department, as well as our many foreign law enforcement partners. Finally, I’d like to thank all those within DOJ for their work.

Attorney General Merrick Garland: (10:12)
This includes the US Attorney’s Office for the Northern District of Texas, the Criminal Division’s Computer Crime and Intellectual Property Section, and Office of International Affairs, the National Security Division, and the Jackson and Dallas FBI Field Offices, which led the department’s investigation. I’ll now turn the podium over to Deputy Attorney General Monica, who will provide further details.

Deputy Attorney General Lisa O. Monaco: (10:44)
Good morning, and thank you, Attorney General Garland. Our announcement today reflects the work of the department’s Ransomware and Digital Extortion Task Force, as part of a whole of government response to the threat of ransomware. Both the arrest of Vasinskyi, and the charges against Polyanin, and the seizure of dollars in cryptocurrency, show we will be relentless in our mission to investigate, to disrupt and to prosecute ransomware attacks.

Deputy Attorney General Lisa O. Monaco: (11:19)
Over the past seven months, the Task Force, through these individuals who you see represented here today, and are additional domestic and international partners, we have been using every tool at our disposal and leveraging every authority we have, to hunt down and hold accountable, cybercriminals, wherever they may seek to hide. Exactly five months ago, I stood at this very podium to announce that the Department of Justice had turned the tables on ransomware attackers, and seized millions of dollars in cryptocurrency paid in ransom during the Colonial Pipeline ransomware attack.

Deputy Attorney General Lisa O. Monaco: (12:02)
Today, we are back to tell the American people that we’ve done it again. This time, the Ransomware and Digital Extortion Task Force has delivered a significant blow to the Sodinokibi and REvil ransomware gang, who attacked thousands of victims worldwide.

Deputy Attorney General Lisa O. Monaco: (12:19)
These victims are networks of information technology providers. They are financial services firms. They are critical infrastructure entities, nonprofits, law enforcement agencies, local governments, and food and agricultural suppliers.

Deputy Attorney General Lisa O. Monaco: (12:37)
Once again, we were able to recover ransom by following the money. The career prosecutors and the Special Agents of the FBI, working with partners around the globe, did some good old-fashioned detective work, by chasing down digital leads, identifying infrastructure to dismantle, and seizing funds.

Deputy Attorney General Lisa O. Monaco: (12:59)
Our partners at the State Department, we’re able to build on our actions, and later today, they will be announcing a reward for those who assist us in our efforts to bring REvil actors to justice. Our partners at the Treasury Department are also using their sanctions authority. Deputy Secretary Adeyemo will discuss that shortly.

Deputy Attorney General Lisa O. Monaco: (13:21)
Our work won’t stop today. The department’s National Cryptocurrency Enforcement Team will continue to work with our partners at the Treasury Department to deprive bad actors of their profits, and to dismantle the financial exchanges that knowingly enable criminal actors who seek ransom rewards for flourish, and to profit.

Deputy Attorney General Lisa O. Monaco: (13:45)
Ransomware knows no border, and so, our effort to combat it must be equally transnational, as they were in this case. Today’s announcement, and the arrest of Vasinskyi, in particular, was possible because of the strong partnership between US law enforcement and our foreign counterparts. The arrest we announced today, and the charges and the seizures, are part of a coordinated law enforcement set of actions taken with partners across four different continents. These actions include the arrest of two additional REvil actors announced earlier today by Romanian authorities.

Deputy Attorney General Lisa O. Monaco: (14:26)
Ultimately, though, the success of this case proves the crucial importance of victim companies coming forward, and working with the Department of Justice and the FBI, when they are first hit with an incident. The Director will speak a little bit more about this, and about exactly what the FBI did in this case.

Deputy Attorney General Lisa O. Monaco: (14:45)
But I want to make clear, that we are here today because in their darkest hour, Kaseya made the right choice, and they decided to work with the FBI. Almost immediately after they were hit, Kaseya provided the FBI information they needed to act, and to act fast.

Deputy Attorney General Lisa O. Monaco: (15:06)
In doing so, we were ultimately able to identify and help many victims of this attack, and also to follow the trail to Vasinskyi. Equally important, we worked with our partners at CISA, to provide information to the public and to help prevent future attacks.

Deputy Attorney General Lisa O. Monaco: (15:24)
What you see here today is a United frond, and our message should be clear. If you target victims here, we will target you. And the Department of Justice won’t give up until you are held accountable.

Deputy Attorney General Lisa O. Monaco: (15:43)
To Americans watching today, to those who own small businesses, to those who run Fortune 500 companies, who manage hospitals, and oversee school districts, this case is the reason you want to work with law enforcement. Know that if you pick up the phone, and if you call the FBI, this team is waiting for you on the other end of the line. And now, I’ll turn the podium over to Director Wray.

FBI Director Christopher A. Wray: (16:20)
Well, good afternoon. Today’s announcement of the arrest of Yaroslav Vasinskyi, in Poland, and the charges against, and seizure from Yevgeniy Polyanin, shows what’s possible when federal law enforcement and international law enforcement work together with private sector companies.

FBI Director Christopher A. Wray: (16:37)
It also demonstrates our resolve in pursuing enterprises that use ransomware to threaten our critical infrastructure, our public health and safety, and our economic vitality. As the Attorney General noted, this ransomware strain has wreaked havoc across the globe, extorting vast sums and inflicting significant damage with attacks on, to name, just a few, JVS Foods, local governments in Texas, hospitals, schools, 911 call centers, and of course, Kaseya.

FBI Director Christopher A. Wray: (17:13)
When Kaseya realized that some of their customers’ networks were infected with ransomware, they immediately took action. They worked to make sure that both their own customers, managed service providers, and those MSPs’ customers downstream, quickly disabled Kaseya’s software on their systems. They also engaged with us early.

FBI Director Christopher A. Wray: (17:34)
The FBI then coordinate with a host of key partners, including CISA, and foreign law enforcement and intelligence services, so Kaseya could benefit from all of our expertise and reach, as it worked to put out the fire. Kaseya’s swift response allowed the FBI and our partners to quickly figure out which of its customers were hit, and for us to quickly share with Kaseya and its customers, information about what the adversaries were doing …

FBI Director Christopher A. Wray: (18:03)
… customers information about what the adversaries were doing, what to look for, and how the companies could best address the danger. Here, we were able to obtain a decryption key that allowed us to generate a usable capability to unlock Kaseya’s customer’s data. We immediately strategized with our inter agency partners and reached a carefully considered decision about how to help the most companies possible, both by providing the key and by maximizing our government’s impact on our adversaries who were continuing to mount new attacks. Ultimately, we were able to both unlock encrypted data and take bad actors out of operation, including by hitting Sodinokibi more broadly, seizing cryptocurrency, and as you just heard, late last week, our partner Romanian authorities also arrested to other individuals suspected of cyber attacks using Sodinokibi or evil ransomware. As the Attorney General, and the Deputy Attorney General mentioned the steps we’ve announced today are yet another example highlighting why the public needs breach reporting legislation that provides the FBI real time access to information about ransomware attacks and other criminal breaches. When the FBI is engaged early, we can provide victims more and better support. We can get them intelligence and technical information they need faster, and we can work quickly back from the intrusion to follow and seize the criminal’s money before it can jump through wallet after wallet and exchange after exchange, identify other victims of about to be hit or in the early stages of further attacks, and make connections between what the reporting victim sees and intelligence that we’re gathering from around the world, arming both the private sector and our government partners with insights that they can act on. We’ve deployed technically trained agents, computer scientists, intelligence analysts, and others in every one of our 56 field offices across the country so that we can warn businesses both big and small, wherever they may be, quickly, and with the information they need to defend their networks.

FBI Director Christopher A. Wray: (20:20)
Over the past few years, ransomware schemes have repeatedly crippled hospital systems, targeted the energy sector, threatened emergency services, and cost or endangered thousands of jobs at businesses of every kind and size. Now, most of the time, the actors themselves are trying to hide abroad, but as we’ve shown time and time again, we’re still going to pursue them, disrupt them, and hold them accountable. The long arm of the law reaches a lot further than they think. And we’ve got ways of disrupting those sheltering in places like Russia, as Polyanin discovered, when he woke up and found 6.1 million that he’d extorted from his victims missing.

FBI Director Christopher A. Wray: (21:06)
Good partners of ours, like the Treasury and State Departments, are also adept at turning the results of our investigations into action and pressure abroad. I want to thank Kaseya and other private sector partners for their invaluable help in this case, and for the way they joined our response to the ransomware threat. Also want to thank the FBI’s own Dallas and Jackson field offices for leading the investigation, and I’m grateful to all our federal partners and our many foreign partners, especially Poland, Romania, Ukraine, France, and Germany. The cyber threat is daunting, but when we combine the right people, the right tools and the right authority, our adversaries are no match for what we can accomplish together. Thank you. And I’ll turn it over to Deputy Secretary Wally Adeyemo.

Deputy Secretary Wally Adeyemo: (22:11)
Mr. Attorney General, thank you for having me. It’s good to be here to be able to talk about the inter agency efforts that we have launched to counter ransomware. Ransomware groups and criminal organizations have targeted American businesses of all sizes and have disrupted economic activity across the country. These attacks are not just a national security issue, but an economic security issue as well. That’s why we, at Treasury, are committed to being and to bear all of the authorities that we have to disrupt, deter, and prevent ransomware attacks from happening.

Deputy Secretary Wally Adeyemo: (22:44)
Over the last several months, Treasury has taken several actions to counter cyber criminals. We have disrupted the digital financial ecosystem to provide ransomware actors with safe haven. We have provided resources, the private sector to help businesses understand and comply with anti-money laundering, encountering financing of terrorism obligations related to ransomware pay and virtual currency, and we have encouraged improved cyber security measures today. Targeted disruption actions and updated ransomware advisory will further advance these efforts. In coordination with our colleagues at the Department of Justice and FBI, Treasury today is announcing sanctions against two ransomware affiliates who are part of a group that implemented some of the most devastating ransomware attacks against the United States.

Deputy Secretary Wally Adeyemo: (23:33)
Treasury is also sanctioning a virtual currency exchange, Chatex, and its enabling companies that have provided financial facilitation for multiple ransomware variants. This means that effective immediately, all assets of these entities that are subject to US jurisdiction are blocked. All transactions are prohibited for US persons and all domestic exchanges are prohibited from processing transactions with this exchange. While virtual currency exchanges, mostly conduct predominantly legitimate activity, certain virtual currency exchanges provide financial services to, or facilitate money laundering for ransomware actors that enabled them to extract profits from these attacks.

Deputy Secretary Wally Adeyemo: (24:22)
I want to call on legitimate virtual currency exchanges to continue their efforts to root out abuse and reiterate that they play a critical role in implementing appropriate AML and CFT and sanctions controls. These controls prevent sanctioned persons and other illicit actors from exploiting virtual currencies to undermine US foreign policy and national security interest. Our actions today also demonstrate how the United States is working with our international counterparts to disrupt the ransomware ecosystem. International partnerships are critical to identifying and disrupting the flow of illicit proceeds from ransomware attacks since many virtual currencies can be transferred across borders nearly instantaneously. Our actions are always more effective when we take them multi-laterally and closely coordinate with our partners, similar to the way the Justice Department has done today. To support today’s Treasury coordinated with Estonia and Latvia, we would like to thank both partners for concurrent actions they took and encourage other countries to similarly protect their financial systems from abuse, take actions to hold ransomware actors accountable, and implement the international AML/CFT standards for virtual currencies to mitigate criminal misuse of these assets.

Deputy Secretary Wally Adeyemo: (25:42)
In addition to the sanction designated today, our Financial Crimes Enforcement Network, or FINCEN, has also updated its 2020 advisory on ransomware and the use of financial system to facilitate ransomware payments. The updated advisory includes information on current trends and typologies of ransomware and associated payments, as well as recent examples of ransomware attacks. I want to use this opportunity to also remind entities engaged in money transmission, which includes the transmission of virtual currency, that they’re required to register as money servicing businesses with FINCEN and they are subject to the Bank Secrecy Act obligations, including filing suspicious activity reports. Safeguards against money laundering keep our financial systems safe. Our team at Treasury is proud to work with DOJ, State, and our foreign partners to disrupt financial nodes tied to ransomware payments and cyber attacks in order to protect our economy and our national security, and we look forward to continuing to do that work in the future. Thank you.

Speaker 2: (26:52)
All right. Let’s take some questions. Pierre, you want to [inaudible 00:26:53]?

Pierre: (26:54)
General Garland, any evidence that the Russian government either condoned or was aware of any of this activity that you took action on today? And I have one off topic question.

Pierre: (27:03)
… this activity that you took action on today, and I have one off-topic question.

Attorney General Merrick Garland: (27:06)
So this is an ongoing investigation, we really can’t comment about that, but I will say that we expect and hope that any government in which one of these ransomware actors is residing, will do everything it can to provide that person to us for prosecution.

Pierre: (27:27)
And now for the question, horrifically, down in the Houston area with so many people injured and who died, there are some reports that some of the victims may have been tricked or injected with a drug of some sort, a security guard in particular the Houston Police Chief mentioned. Is there any federal jurisdiction here? Is the FBI or any justice department entity looking into this case?

Attorney General Merrick Garland: (27:51)
For this one, I’m going to refer to the director.

FBI Director Christopher A. Wray: (27:57)
I think all I can really say on that right now, Pierre, is that the Houston Police and Harris County have the lead, but we are providing some forms of technical assistance, but that’s all I can really say on it right now.

Speaker 3: (28:11)
All right, Ellen.

Ellen: (28:13)
Can you tell me, is this the first time you’re indicting Russian ransomware actors, or have you done that before?

Attorney General Merrick Garland: (28:29)
[inaudible 00:28:29].

Deputy Attorney General Lisa O. Monaco: (28:29)
No, and indeed last week, we secured the physical presence of a Russian cybercriminal who was hiding out in South Korea, and we worked with our partners to get him here into an American courtroom, and I think that action and today’s action reflects what we are determined to do, which is to use all of our tools, both domestically and working with our partners, to hold accountable those who seek to target infrastructure here.

Ellen: (28:58)
And I have a follow-up for Director Wray. Thank you, Director, for your explanation of a little bit of the timeline. You say that immediately after the Kaseya came forward, you were able to strategize and reach a carefully considered decision to both provide the key and maximize your law enforcement equities, and I reported on some of that earlier. Can you give me a little bit better timeline as to what you decided to do when? Because I know you were also planning to do a disruption of our REvil, and which is one of the factors going into the decision to not immediately turn over the encryption key, and that also, there was an assessment, I believe provided by CISA, that I was told that the victim impact wasn’t as severe as initially thought. And so, putting all of these factors into the mix, I think the interagency decided it was okay to withhold the key for a bit of time, until you could do your disruption. And then of course, REvil well took itself down, so you didn’t do your disruptions. Give me a little more visibility into that time-

FBI Director Christopher A. Wray: (30:17)
Yeah, I’m not going to try to confirm or tweak your chronology there, but what I would say is, I think it’s important for people to understand that when we find technical information like encryption keys, first off, I wish we would find them more often. It’s not something that happens in every case, but it’s a specific goal of the investigation, right? So that’s something that our folks are tasked with looking for. It’s not something we just kind of stumble across by happenstance, it’s a specific aim of the investigation, so that we can then turn around and push it out to companies and victims, and potential victims.

FBI Director Christopher A. Wray: (30:54)
When we do that, though, when there’s a decision, when there’s any kind of weighing of multi factors, it’s an interagency group decision, it’s a team decision, it’s not something the FBI does unilaterally, then there’s a whole bunch of things that go into it. So that ranges from things like the testing and validation of the tool, which is part of it. We can’t just turn around and push something out, we got to make sure it actually works, we got to make sure that it’s not going to make things worse and rather than better. In some cases, remember who’s designing these things in the first place, so we don’t want to inadvertently put malware on somebody’s computer that we’re trying to help, so that takes some time.

FBI Director Christopher A. Wray: (31:28)
In addition, when you got a multi- front, multinational, operation like this, which is more and more how we would tackle any kind of ransomware actors, there’s a whole bunch of factors, but ultimately, ultimately, it all boils down to trying to make sure that we can maximize the impact on the ransomware actors, and maximize the benefit to the most victims and the most potential victims, and so, that’s kind of how it all gets worked together. A lot of times that can happen, very, very quickly, sometimes it takes a little bit longer. So, that’s really all I can say to it here today.

Speaker 3: (32:04)
All right, [inaudible 00:32:05].

Speaker 4: (32:06)
This is for either the Attorney General or FBI Director. Can you talk a little bit about how you affected the arrest of Vasinski, why he moved from Ukraine to Poland? And can you also talk about now with him in custody, the size of his network that’s still out there? And I have one off-topic question.

Attorney General Merrick Garland: (32:30)
[inaudible 00:32:30]. More general, in high level of generality, we requested, pursuant to a provisional warrant, we requested his arrest by the Poles. I don’t know whether the director wants to be any more detail than that.

FBI Director Christopher A. Wray: (32:57)
I think all I can really say on that is the Poles have been terrific partners, and we’re very grateful for their assistance, and partnership is one of the main themes that everybody should take away from this operation, and the fact that we have such good partnerships with the Poles, with the Ukrainians, with the Romanians, et cetera, is part of what enables us to reach these types of hackers much more effectively. And there are lots of reasons why people travel, and I can’t get into the specific reasons why Mr. Vasinski traveled, but boy, are we glad he did.

Speaker 4: (33:33)
And the off-topic question [inaudible 00:33:36]. Can you provide the status of the referral for Mr. [Bannon 00:33:41], where you are on that?

Attorney General Merrick Garland: (33:43)
No, this is a criminal matter. It’s an ongoing examination of the referral, and as you know, the Justice Department doesn’t comment on those. We evaluate these in the normal way we do, facts and the law, and applying the principles of prosecution. Thank you.

Speaker 3: (34:03)
All right. Thanks everybody. Have a good day.

Transcribe Your Own Content

Try Rev and save time transcribing, captioning, and subtitling.