US sanctions VPN and malware firms aiding ransomware attacks

▼ Summary
– The U.S. Treasury sanctioned two individuals and one entity for supporting ransomware attacks, including First VPN Service (1VPNS) and its administrator Dmytro Rashevskyi.
– 1VPNS sold VPN services to ransomware groups, advertised no-log policies, and Rashevskyi used false identities to acquire infrastructure from companies that would have refused service.
– European law enforcement dismantled 1VPNS’s website and infrastructure in May as part of “Operation Saffron,” seizing 33 servers across 27 countries and arresting its administrator.
– The Treasury also sanctioned Belarusian Yegeniy Vladimirovich Silayev for selling cryptors that help ransomware evade detection, causing billions in losses to U.S. businesses and critical infrastructure.
– OFAC’s action blocks all U.S.-based property of the designated individuals and entities, and bars U.S. persons from transactions with them, coordinated with the UK.
The U.S. Treasury Department’s Office of Foreign Assets Control has taken direct aim at the infrastructure enabling ransomware attacks, sanctioning two individuals and one company for their roles in facilitating cybercrime against American organizations.
On Monday, OFAC designated First VPN Service (1VPNS), a virtual private network provider that sold services to ransomware groups, along with its administrator, Dmytro Rashevskyi. Operating since 2014, 1VPNS openly marketed on cybercriminal forums that it kept no logs of user activity or identities and would not cooperate with law enforcement. Rashevskyi allegedly used false identities, including “Maksim Sorin” and “Roman Chabanenko,” to acquire infrastructure from companies that would otherwise have refused service due to abuse complaints.
These sanctions follow a European law enforcement takedown of 1VPNS’s website and infrastructure in May, supported by the FBI’s Boston Field Office. The action, dubbed Operation Saffron and led by French and Dutch authorities, began in December 2021 when investigators infiltrated the VPN’s infrastructure and collected its user database before dismantling it. During the operation, authorities seized 33 servers linked to 1VPNS across 27 countries, arrested its administrator, and exposed thousands of users tied to ransomware, fraud, and other malicious activities worldwide. Europol noted that the VPN service’s name had surfaced in nearly every major cybercrime investigation it supported.
Victims of ransomware attacks using 1VPNS’s infrastructure included U. S. businesses, hospitals, financial services firms, and municipal governments. This week, the Treasury Department also sanctioned Yegeniy Vladimirovich Silayev, a Belarusian national who sells cryptors (also known as crypters). These tools help ransomware and other malware evade detection by security software.
Officials estimate that ransomware operations using 1VPNS and Silayev’s cryptors have caused billions of dollars in losses to businesses and critical infrastructure providers across the United States. “These actors supplied ransomware groups with tools to hide their identities, disguise malicious software, and evade detection , enabling attacks that have caused billions of dollars in losses to U. S. critical infrastructure providers,” said State Department spokesperson Thomas Pigott. “By targeting not just ransomware operators but the service providers and tool suppliers who make their attacks possible, the United States and its partners are dismantling the broader networks that sustain cybercriminal activity worldwide.”
OFAC said the action was coordinated with the United Kingdom’s Foreign, Commonwealth & Development Office. Under these sanctions, all property of the designated individuals and entities within U. S. jurisdiction is blocked, and U. S. persons and businesses are barred from transactions involving them. On Monday, the European Union and the United Kingdom also jointly sanctioned dozens of Russian individuals and entities, accusing Russia of coordinating a network of hacking groups linked to cyberattacks across Europe.
(Source: BleepingComputer)