Skip to main content
Emerging ThreatsMalware & Ransomware

Treasury Disrupts Ransomware Networks with Sanctions on VPN Service

Server room with rows of out-of-focus servers, symbolizing disrupted VPN service.

“Numerous ransomware groups have purchased infrastructure from 1VPNS, which they have leveraged in attacks on U.S. companies and institutions — including to hide the origins of their attacks, deploy malware, and manage exfiltrated data,” the U.S. Treasury Department’s Office of Foreign Assets Control said.

OFAC designates First VPN Services, Dmytro Rashevskyi, and Yegeniy Vladimirovich Silayev

The Treasury Department on Monday sanctioned First VPN Services (1VPNS) and its alleged administrator, Ukrainian citizen Dmytro Rashevskyi, as well as Belarus national Yegeniy Vladimirovich Silayev. OFAC said 1VPNS provided anonymity services that could be legitimate in some instances but had been “deeply embedded in the cybercriminal ecosystem.” The office said 1VPNS advertised itself in online cybercrime forums for more than a decade and touted its refusal to cooperate with law enforcement.

How 1VPNS and “cryptors” were used in ransomware operations

OFAC described 1VPNS infrastructure as a tool ransomware operators used to hide attack origins, deploy malware, and manage exfiltrated data. The designation also targeted Silayev for allegedly selling “cryptors,” which OFAC defined this way: “Unlike legitimate encryption tools, which are designed to protect data and the privacy of the people that own it, cryptors are built specifically to make malware stealthier and more effective by disguising it as harmless files.”

Evidence and enforcement: Europol sting, FBI alert, and blockchain analysis

Europol said the service appeared in virtually every investigation it handled in recent years and that a May sting had led to the arrest of the administrator of 1VPNS, though Europol did not name that person. The Treasury Department did not immediately respond to a question about whether its sanctions targeted that same arrested person. The FBI has previously issued an alert about First VPN Service.

Blockchain intelligence firm TRM Labs supplied transactional context: it said it has seen 1VPNS selling services to ransomware operators for prices ranging from $723 for Anubis to $58 for Sinobi. Ari Redbord, global head of policy and government affairs at TRM Labs, wrote on LinkedIn that “the amounts are small because infrastructure subscriptions are small,” and added that “a named ransomware group paying a named enabler on public chains still leaves a trail investigators can follow after the fact.”

Treasury coordination with the United Kingdom and European measures

OFAC’s action was taken “in conjunction with the United Kingdom,” the Treasury Department said. The Treasury’s sanctions designations dovetail with separate, unrelated cyber sanctions that European governments from Monday, according to the notice. The designations therefore sit alongside parallel law-enforcement and sanctions activity on both sides of the Atlantic.

What this means for U.S. municipalities, hospitals, security teams, and ransomware enablers

  • U.S. municipalities and hospitals: OFAC named victims tied to 1VPNS infrastructure that include U.S. municipalities and hospitals, joining previously cited U.S. businesses and financial services companies on the list of targets whose attackers relied on the service.
  • Technologists and security teams: the combination of law enforcement arrests, blockchain tracing by firms such as TRM Labs, and OFAC designations underscores avenues for attributing and disrupting infrastructure used in ransomware operations, even when services advertise anonymity.
  • Ransomware operators and enablers: the sanctions and the Europol sting demonstrate exposure for services that market noncooperation with law enforcement or sell tools like cryptors that are intended to make malware stealthier.

The Treasury action ties a widely used anonymity service and an alleged cryptor vendor to the operational plumbing of ransomware attacks that have hit U.S. companies, financial firms, hospitals, and municipal governments. Europol’s May arrest, the FBI alert, and blockchain tracing reported by TRM Labs together map an investigative arc from criminal advertisements to payments and, finally, to enforcement. One concrete open fact remains in the record supplied by authorities: whether the person Europol arrested in May is the same individual named in OFAC’s designation, a question to which Treasury “did not immediately respond.”

Source: CyberScoop — Treasury sanctions First VPN Service, others for abetting ransomware gangs