{
	"id": "45ec70b9-c406-491c-b55a-211c051ac2ce",
	"created_at": "2026-04-06T00:12:56.947814Z",
	"updated_at": "2026-04-10T03:20:16.588793Z",
	"deleted_at": null,
	"sha1_hash": "38f6f9910ad8aed3689c52ae4d491e8b9d7b249a",
	"title": "REvil Actor Accuses Russia of Planning 2021 Kaseya Attack",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1438270,
	"plain_text": "REvil Actor Accuses Russia of Planning 2021 Kaseya Attack\r\nBy Alexander Culafi\r\nPublished: 2025-08-11 · Archived: 2026-04-05 12:50:50 UTC\r\nSource: Alexander Culafi via Dark Reading\r\nA convicted REvil affiliate accused the Russian government of planning the 2021 supply chain attack against\r\nKaseya.\r\nJon DiMaggio, chief intelligence strategist at Analyst1, and John Fokker, head of threat intelligence at Trellix,\r\ndiscussed the ransomware-as-a-service (RaaS) gang REvil during an Aug. 9 session at DEF CON 33. REvil is an\r\ninfamous gang with a number of large-scale victims under its belt, including Acer and meat processing giant JBS\r\nS.A., but the talk covered REvil's most notorious strike: the July 2021 ransomware attack against Kaseya, which\r\nspecialized in remote IT management software and services.\r\nREvil targeted a vulnerability in Kaseya's remote monitoring software VSA in a supply chain attack that\r\ncompromised more than 1,000 companies.\r\nIn November of that year, the US Department of Justice (DOJ) unsealed documents against two alleged REvil\r\noperators, Russian national Yevgeniy Polyanin and Yaroslav Vasinskyi, the latter of which had been arrested in\r\nPoland the month before.\r\nRelated:Not Toying Around: Hasbro Attack May Take 'Weeks' to Remediate\r\nhttps://www.darkreading.com/cyberattacks-data-breaches/revil-actor-russia-planning-2021-kaseya-attack\r\nPage 1 of 4\n\nThe DEF CON session, \"Ghosts of REvil: An Inside Look with the Hacker Behind the Kaseya Ransomware\r\nAttack,\" primarily concerns Vasinskyi, who was extradited to the US in early 2022. In 2024, he was sentenced to\r\nmore than 13 years in prison and fined more than $16 million for, as the DOJ put it, \"his role in conducting over\r\n2,500 ransomware attacks and demanding over $700 million in ransom payments.\"\r\nA Look Inside REvil\r\nLoading...\r\nFokker began with an overview of REvil's operation, explaining that the group began in 2019 as a successor to the\r\nGandCrab ransomware group. When GandCrab reached about 150 affiliates, the scope of the operation was\r\nbecoming too large, and so a new group was established to support GandCrab's highest-earning members.\r\nREvil, which is now defunct, had a straightforward ransomware-as-a-service model, with five admins at the top\r\nsupporting 40 affiliates at any one time. In order to join, Fokker said, an affiliate needed to pass a \"strict\"\r\ninterview in order to prove they were REvil material.\r\n\"I have to confess, we tried to apply,\" Fokker said, \"but our Russian was not good enough so we were kicked out.\"\r\nAlthough REvil was known for its big game attacks, the group also targeted individual consumers. When a ransom\r\npaid out, the money would be split between the gang's administration and the affiliate that carried out the attack.\r\nThe session highlighted a number of reasons the gang was successful, including an early example of having a\r\ndedicated communication platform rather than email negotiations; an early example of using a leak site to publish\r\nstolen data (now standard practice for much of the ransomware ecosystem); stable malware and decryptors (\"You\r\nneed to be able to keep your promise if you encrypt something,\" Fokker said); strict affiliate selection; and smart\r\noutsourcing of certain functions like money laundering to third parties.\r\nRelated:Bank Trojan 'Casbaneiro' Worms Through Latin America\r\nOne other key differentiator between REvil and other gangs was that it was \"good at administration.\"\r\n\"Trust only goes so far if you pay people what they are owed. If you do not pay people, then they'll turn their back\r\non you,\" Fokker said. And for REvil, the group had detailed accounting with IDs marking both affiliates and their\r\ncampaigns.\r\nREvil eventually fell apart, starting in an international infrastructure takedown operation on Oct. 21, 2021. In\r\nJanuary 2022, Russia said it had dismantled REvil and charged several members.\r\nVasinskyi Speaks\r\nThe story got stranger when, in February of this year, DiMaggio received an email from federal prison claiming to\r\nbe a contact request from Vasinskyi, the REvil operator serving a 13-plus year prison sentence.\r\nAt first, DiMaggio said Vasinskyi planned on speaking with a journalist that had much further reach, but due to\r\nDiMaggio's technical understanding and previous research of cybercrime forums, the pair established a bond that\r\nhttps://www.darkreading.com/cyberattacks-data-breaches/revil-actor-russia-planning-2021-kaseya-attack\r\nPage 2 of 4\n\ncontinues today. At one point during the session, DiMaggio said he was planning to speak with Vasinskyi 30\r\nminutes after the session ended.\r\nRelated:AI-Powered 'DeepLoad' Malware Steals Credentials, Evades Detection\r\nAlthough one can't take a cybercriminal's word for granted, DiMaggio urged attendees to view the full report of\r\nhis interactions with the REvil actor, which were published to Analyst1 that day.\r\n\"I think there's a lot of value in understanding what a criminal tells you, and you know at this point, he didn't have\r\nmuch to lose. There wasn't really a reason for him to lie to me. He has no chance of parole,\" DiMaggio said.\r\nDiMaggio said that after the Kaseya attack, then President Biden said the US would respond if it turned out the\r\nRussian government was involved, \"which is pretty ***** ironic because the first thing Vasinskyi told me was\r\nthat the Russian government was involved.\"\r\nVasinskyi said that not only was the Russian government involved, but it also picked the target and orchestrated\r\nthe attack, with Vasinskyi acting as the architect to create the relevant zero-day exploit. It's worth noting that\r\nRussia has not taken credit for any cybercriminal actions taken during the Kaseya attack.\r\n\"Vasinskyi doesn't deny his role in the attack. What he does deny is him being the one who executed it. According\r\nto him, he staged everything, got into the network, and staged everything, but he did not execute the ransomware\r\npayload itself,\" DiMaggio said. \"According to Vasinskyi the Russian government did that, and that's a pretty big\r\ndeal if he's telling me the truth now.\"\r\nThe Russian government's motive for this, Vasinkyi reportedly told DiMaggio, was not to make money but instead\r\nfor the disruption from the attack to cripple downstream systems, allowing Russia to access critical infrastructure.\r\nVasinskyi, who is a Ukrainian national, was arrested while crossing the border into Poland. What followed,\r\nallegedly, were threats made against him and his family by individuals with supposed ties to Russian intelligence\r\n(as detailed in the aforementioned report).\r\nDiMaggio ended the session with an observation: That although Vasinskyi was convicted for crimes he\r\ncommitted, \"suddenly we stopped looking for the leadership of REvil.\" There have been no new indictments nor\r\nnames of REvil administrators.\r\n\"I'm a big believer in chasing bad guys, but we can't stop just because we got one, and since he was sort of the one\r\nthat was available. He wasn't in Russia, so he was accessible and it was kind of like having this trophy,\" DiMaggio\r\nsaid. \"I'm not saying he shouldn't be in prison. What I'm saying is we should be going after the leadership — the\r\npeople who made these plans.\"\r\nAbout the Author\r\nhttps://www.darkreading.com/cyberattacks-data-breaches/revil-actor-russia-planning-2021-kaseya-attack\r\nPage 3 of 4\n\nSenior News Writer, Dark Reading\r\nAlex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for\r\nindependent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of\r\nScience in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report,\r\nand elsewhere. In his spare time, Alex hosts the weekly Nintendo podcast Talk Nintendo Podcast and works on\r\npersonal writing projects, including two previously self-published science fiction novels.\r\nSource: https://www.darkreading.com/cyberattacks-data-breaches/revil-actor-russia-planning-2021-kaseya-attack\r\nhttps://www.darkreading.com/cyberattacks-data-breaches/revil-actor-russia-planning-2021-kaseya-attack\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.darkreading.com/cyberattacks-data-breaches/revil-actor-russia-planning-2021-kaseya-attack"
	],
	"report_names": [
		"revil-actor-russia-planning-2021-kaseya-attack"
	],
	"threat_actors": [],
	"ts_created_at": 1775434376,
	"ts_updated_at": 1775791216,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/38f6f9910ad8aed3689c52ae4d491e8b9d7b249a.pdf",
		"text": "https://archive.orkl.eu/38f6f9910ad8aed3689c52ae4d491e8b9d7b249a.txt",
		"img": "https://archive.orkl.eu/38f6f9910ad8aed3689c52ae4d491e8b9d7b249a.jpg"
	}
}