In early July, heading into the holiday weekend, a ransomware attack against the IT management firm Kaseya incapacitated hundreds of businesses, their data encrypted by the notorious REvil ransomware group. Now, US authorities have announced a development as unprecedented as the incident itself: The alleged perpetrator, a Ukrainian national, was arrested in October and is currently awaiting extradition from Poland.

Ransomware gangs have operated with relative impunity over the last few years, in part because so many of them are based in Russia and the Kremlin has steadfastly turned a blind eye. Monday’s Department of Justice announcement, though, shows that the hybrid approach law enforcement has landed on can work. The arrest and pending extradition of 22-year-old Yaroslav Vasinskyi shows that officials are capable of on apprehending key players when they slip up. And another major announcement, the seizure of $6.1 million of alleged ransomware payments received by Russian national Yevgeniy Polyanin, shows that authorities can disrupt their targets even when they can’t take them into custody.

“Vasinskyi’s arrest demonstrates how quickly we will act alongside our international partners to identify, locate, and apprehend alleged cybercriminals no matter where they are located,” attorney general Merrick Garland said at a press conference on Monday. “Ransomware attacks are fueled by criminal profits, that is why we are not just pursuing individuals responsible for those attacks. We are also committed to capturing their illicit profits and returning them whenever we can to the victims from whom they were extorted.”

The indictments against Vasinskyi and Polyanin don’t go into great detail. Vasinskyi allegedly became involved with REvil most recently in December 2019, when he responded to an advertisement on a Russian hacker forum seeking ransomware affiliates. The people who write ransomware code often cut what are essentially franchise deals for their hacking tools in exchange for a cut of the proceeds—the McDonald’s model for cybercrime. Vasinskyi is accused of carrying out the attack on Kaseya, which in turn spread to a number of the company’s customers through software updates. Ultimately, the attack impacted as many as 1,500 businesses. 

Polyanin, who is 28 years old, is also accused of deploying REvil ransomware against multiple victims. The indictment alleges that he was responsible, at least in part, for a ransomware spree that targeted a large number of local Texas government agencies in August 2019. Polyanin, who lives in Russia, is still at large but is thought to have links to 3,000 ransomware attacks that have collectively attempted to extort at least $13 million from victims.

“This is great news all the way around,” says Allan Liska, an analyst for the security firm Recorded Future. “It reminds ransomware actors that they aren’t safe, even in Russia. ‘If we can’t arrest you, we’ll take your money.’ Even ransomware actors have to use services outside of Russia sometimes, and that’s where law enforcement has power.”

Combined with recently announced sanctions from the Treasury Department and a reward from the State Department for information about the notorious DarkSide ransomware actors, the Justice Department’s action on Monday reflects the Biden administration’s “whole of government” ransomware mantra.

Advantages of overseas domestic helper.