FBI Director Christopher Wray’s Remarks at Press Conference Announcing Sodinokibi/REvil Ransomware Arrest
FBI Director Christopher Wray delivered the following remarks during a press conference at the Department of Justice in Washington, D.C., with partner agency officials announcing arrests and charges in connection with the Sodinokibi/REvil ransomware. (Remarks as delivered.)
Good afternoon. Today’s announcement of the arrest of Yaroslav Vasinskyi in Poland, and the charges against and seizure from Yevgeniy Polyanin, shows what’s possible when federal and international law enforcement work together with private sector companies. It also demonstrates our resolve in pursuing criminal enterprises that use ransomware to threaten our critical infrastructure, our public health and safety, and our economic vitality.
As the attorney general noted, this ransomware strain has wreaked havoc across the globe, extorting vast sums and inflicting significant damage with attacks on, to name just a few: JBS foods, local governments in Texas, hospitals, schools, 911 call centers, and, of course, Kaseya.
When Kaseya realized that some of their customers’ networks were infected with ransomware, they immediately took action. They worked to make sure both their own customers—managed service providers (MSPs)—and those MSPs’ customers downstream quickly disabled Kaseya’s software on their systems.
They also engaged with us early. The FBI then coordinated with a host of key partners—including CISA and foreign law enforcement and intelligence services—so Kaseya could benefit from all of our expertise and reach as it worked to put out the fire.
Kaseya’s swift response allowed the FBI and our partners to quickly figure out which of its customers were hit and for us to quickly share with Kaseya and its customers information about what the adversaries were doing, what to look for, and how the companies could best address the danger.
Here, we were able to obtain a decryption key that allowed us to generate a usable capability to unlock Kaseya customers’ data. We immediately strategized with our interagency partners and reached a carefully considered decision about how to help the most companies possible, both by providing the key and by maximizing our government’s impact on our adversaries, who were continuing to mount new attacks.
Ultimately, we were able both to unlock encrypted data and to take bad actors out of operation, including by hitting Sodinokibi more broadly, seizing cryptocurrency—and, as you just heard, late last week, our partner Romanian authorities also arrested two other individuals suspected of cyberattacks using Sodinokibi/REvil ransomware.
As the attorney general and the deputy attorney general mentioned, the steps we’ve announced today are yet another example highlighting why the public needs breach reporting legislation that provides the FBI real-time access to information about ransomware attacks and other criminal breaches.
When the FBI is engaged early, we can provide victims more and better support. We get them the intelligence and technical information they need faster. And we can quickly work back from the intrusion to follow and seize the criminals’ money before it can jump through wallet after wallet and exchange after exchange, identify other victims about to be hit or in the early stages of further attacks, and make connections between what the reporting victim sees and intelligence that we’re gathering from around the world, arming both the private sector and our government partners with insights they can act on.
We’ve deployed technically trained agents, computer scientists, intelligence analysts, and others in every one of our 56 field offices across the country so that we can warn businesses big and small, wherever they may be, quickly and with the information they need to defend their networks.
Over the past few years, ransomware schemes have repeatedly crippled hospital systems, targeted the energy sector, threatened emergency services, and cost or endangered thousands of jobs at businesses of every kind and size.
Now most of the time, the actors themselves are trying to hide abroad, but as we’ve shown time and time again, we’re still gonna pursue them, disrupt them, and hold them accountable. The long arm of the law reaches a lot further than they think.
And we’ve got ways of disrupting those sheltering in places like Russia—as Polyanin discovered when he woke up and found $6.1 million he’d extorted from his victims missing.
Good partners of ours, like the Treasury and State Departments, are also adept at turning the results of our investigations into action and pressure abroad.
I want to thank Kaseya and other private sector partners for their invaluable help in this case—and for the way they’ve joined our response to the ransomware threat.
I also want to thank our own Dallas and Jackson Field Offices for leading the investigation.
And I’m grateful to all our federal partners and our many foreign partners, especially Poland, Romania, Ukraine, France, and Germany.
The cyber threat is daunting—but when we combine the right people, the right tools, and the right authorities, our adversaries are no match for what we can accomplish together.
Thank you. And I’ll turn the podium over to the Deputy Secretary of the Treasury, Wally Adeyemo.