Case Studies On Ransomware Attacks Prosecutions
📘 Major Ransomware Prosecution Case Studies
1. United States v. SamSam Ransomware Operators (2018 – ongoing)
Background
The SamSam ransomware targeted hospitals, schools, city governments, and major corporations. Notably, it crippled the City of Atlanta in 2018, causing millions of dollars in damage.
Defendants
Faramarz Shahi Savandi (Iranian national)
Mohammad Mehdi Shah Mansouri (Iranian national)
Modus Operandi
Gained access through brute-force attacks on remote desktop services.
Encrypted entire networks.
Demanded Bitcoin ransoms.
Caused over $30 million in losses and extorted around $6 million.
Charges
Conspiracy to commit wire fraud
Intentional damage to protected computers (18 U.S.C. §1030)
Transmission of ransom demands
Money laundering
Significance in Case Law
This case became a model for cross-border ransomware indictments even when the defendants are outside U.S. custody. It affirmed that:
U.S. federal courts assert jurisdiction over cybercrimes affecting U.S. entities.
Cryptocurrency-based extortion falls under traditional fraud and money-laundering statutes.
2. United States v. Evil Corp (Dridex and BitPaymer Ransomware) – Maksim Yakubets (2019)
Background
“Evil Corp” is one of the most notorious cybercriminal groups globally, responsible for:
Dridex malware
BitPaymer ransomware
Defendant
Maksim Yakubets — Russian national, alleged leader of Evil Corp.
Modus Operandi
Dridex malware stolen banking credentials.
BitPaymer used to encrypt critical infrastructure, including hospitals and local governments.
Estimated losses exceeded $100 million.
Charges
Conspiracy to commit bank fraud
Computer fraud
Wire fraud
Money laundering
Case Law Significance
The prosecution reinforced:
The applicability of U.S. extraterritorial cybercrime jurisdiction.
Ransomware groups that use banking-credential malware are subject to financial fraud statutes, not only cybercrime statutes.
The indictment produced one of the largest-ever bounties for a cybercriminal.
3. United States v. REvil/Sodinokibi Actors – Kaseya Attack (2021)
Background
In July 2021, the REvil ransomware gang executed a massive supply-chain attack through the Kaseya VSA software platform, affecting over 1,000 companies worldwide.
Defendants
Yaroslav Vasinskyi (Ukrainian national) – arrested in Poland
Yevgeniy Polyanin (Russian national)
Modus Operandi
Breached Kaseya VSA update mechanism
Deployed ransomware simultaneously to managed service providers
Demanded a $70 million decryption ransom
Charges
Conspiracy to commit computer damage
Intentional damage to protected computers
Extortion involving computers
Money laundering
Evidence & Investigation
International cooperation involving U.S., Ukraine, and EU law enforcement
Cryptocurrency tracing
Forensic linking of REvil code to attackers
Case Law Impact
This prosecution highlighted:
Supply-chain ransomware can attract enhanced penalties
Cryptocurrency tracing is acceptable and robust evidence
Collaboration with foreign states is crucial for cybercrime enforcement
4. United States v. Netwalker Ransomware Affiliate – Sebastien Vachon-Desjardins (2022)
Background
Netwalker ransomware targeted:
Universities,
Medical institutions,
Government agencies.
Defendant
Sebastien Vachon-Desjardins, a Canadian former government IT professional.
Modus Operandi
Ran attacks as a Ransomware-as-a-Service (RaaS) affiliate
Earned over $27 million worth of cryptocurrency
Charges
Conspiracy to commit computer fraud
Conspiracy to commit wire fraud
Extortion
Intentional damage to protected computers
Outcome
Extradited to the U.S.
Sentenced to 20 years in federal prison
Forfeit of millions in cryptocurrency
Legal Significance
First major sentencing of a RaaS affiliate, setting a precedent that affiliates are equally culpable as core developers.
Confirmed that cryptocurrency assets obtained through ransomware are subject to forfeiture.
5. United States v. Maryland Department of Health Attackers – Egregor Ransomware (2021–2022)
Background
The Egregor ransomware group hit dozens of companies and government systems, including the Maryland Department of Health.
Defendants
Several individuals were arrested across Europe as part of global enforcement coordinated by multiple agencies.
Modus Operandi
Used "double-extortion": encrypting data and threatening leaks.
Relied on phishing and credential theft for initial access.
Charges
Conspiracy to commit computer intrusion
Extortion via ransomware
Participation in a criminal organization (in Europe)
Money laundering
Significance
This case was one of the first to:
Recognize “double extortion” as forming separate charges of extortion and data theft
Pursue both affiliates and infrastructure providers of ransomware networks
6. United States v. North Korean Lazarus Group – WannaCry Ransomware (2017–ongoing)
Background
The WannaCry ransomware attack in 2017 affected over 200,000 computers in 150 countries, including:
UK’s National Health Service
Telefónica
FedEx systems
Defendant
Park Jin Hyok, member of the North Korean Lazarus Group.
Modus Operandi
Exploited the NSA’s leaked EternalBlue SMB vulnerability
Deployed ransomware that propagated automatically
Demanded Bitcoin ransoms
Charges
Conspiracy to commit computer fraud
Wire fraud
Extortion
Unauthorized access to protected computers
Case Law Importance
This case set precedent in:
Charging nation-state actors for ransomware
Linking cyberattacks to government intelligence units
Offering legal recognition of state-sponsored ransomware operations as criminal acts under U.S. law
Key Legal Principles Established Across These Cases
1. Extraterritorial Jurisdiction
U.S. courts can prosecute foreign nationals if:
U.S. victims were targeted
Infrastructure in the U.S. was used
U.S. commerce was impacted
2. Cryptocurrency as Traceable Evidence
Courts have accepted:
Blockchain analysis
Seizure of wallets
Conversion of ransom payments into forfeitable assets
3. Ransomware-as-a-Service Liability
Affiliates can be convicted of:
Conspiracy
Fraud
Extortion
even if they did not write ransomware code.
4. Double Extortion Brings Additional Charges
Data theft + encryption can support:
Computer intrusion
Identity theft
Extortion
Trade secret theft (in corporate cases)
5. Nation-State Prosecutions
Even if defendants cannot be physically extradited:
Indictments serve as international sanctions tools
Travel restrictions are imposed
Property or cryptocurrency may be seized
RELATED Blog
comments