The U.S. Department of Justice announced on Monday that it arrested two foreign nationals allegedly responsible for the Sodinokibi/REvil ransomware attack on businesses and government institutions in the U.S. REvil is the group that attacked Quanta Computer, which resulted in the release of schematics for the new MacBook Pro.
Yaroslav Vasinskyi of Ukraine, and Yevgeniy Polyanin of Russia, were arrested and charged with conducting ransomware attacks. Two people in Romaina were also arrested and charged. While the DoJ’s press release states that REvil’s attack affected “multiple victims,” the DoJ specifically addresses the July attack on Kaseya, a company that specializes in IT management software.
Last April, REvil attacked Quanta Computer and demanded a $50 million payment or it would release documents it had stolen by breaking into Quanta’s corporate network. When Quanta refused, REvil released the schematics that revealed the ports and logic board of the recently released 14- and 16-inch MacBook Pro. MacRumors reportedly saw the schematics and said that they also included “deeply technical listings of MacBook components and layouts.” Bloomberg reports that REvil also attempted to “shake-down Apple” and the company provided no comment about the situation.
According to the DoJ, REvil conducted its attack by leaving text files with web addresses on computers. When a person visited the web address, they were met with a ransom demand, and if they paid, they would get access to the stolen files and a decryption key to decrypt the files. If the ransom was not paid, REvil posted the stolen documents online or would say that the documents were sold to a third party.
Vasinskyi and Polyanin are charged with conspiracy to commit fraud and related activity in connection with computers, substantive counts of damage to protected computers, and conspiracy to commit money laundering. Vasinskyi could get a maximum penalty of 115 in prison, while Polyanin faces a maximum of 145 years. The DoJ also seized $6.1 million from Polyanin, which is allegedly traceable to the ransomware attacks.