Connect with us

Security

Government Crackdown: U.S. Sanctions Top VPN Service and Malware Seller for Ransomware Assistance

Published

on

The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) has identified two individuals and a VPN service provider for facilitating malicious activities by ransomware actors and other cybercriminals, including ransomware attacks against American targets.

First VPN Service (1VPNS) and its 45-year-old Ukrainian administrator, Dmytro Rashevskyi, have been accused of providing tools to ransomware groups. Yegeniy Vladimirovich Silayev, a Belarusian national, has also been sanctioned for selling cryptors used to disguise ransomware and other malware as harmless programs to evade detection by security software.

In May 2026, First VPN was shut down as part of a coordinated effort by European and North American authorities to combat its role in assisting criminal actors in concealing the origins of ransomware attacks, data theft, scanning, and denial-of-service attacks. The service had been operational since 2014, promoting its policy of not logging users’ identities or activities and not cooperating with law enforcement to address illegal activities originating from its servers.

According to the Treasury Department, several ransomware groups utilized First VPN to launch attacks on U.S. entities, conceal their identities, deploy malware, and manage stolen data. The victims of these attacks included American businesses, financial institutions, hospitals, and local governments.

The designated parties’ services allegedly led to significant financial losses for American businesses and critical infrastructure providers, as per U.S. officials.

“Rashevskyi, using aliases such as ‘Maksim Sorin’ and ‘Roman Chabanenko,’ purchased infrastructure from companies that might have otherwise rejected him due to complaints from internet service providers about illicit activities originating from 1VPNS servers,” the department stated.

See also  Major Paint Manufacturer AkzoNobel Hit by Cyberattack on American Website

U.K. and E.U. Target Russian Individuals and Entities with Sanctions

The announcement coincides with the United Kingdom and the European Union imposing sanctions on Russian cyber networks for their consistent efforts to create chaos and division in Europe. The sanctions focus on 24 individuals and entities involved in destructive cyber and hybrid operations, including operatives connected to proxy networks associated with the Russian Intelligence Services (RIS).

The sanctioned individuals include senior members of Russia’s Main Intelligence Directorate (GRU) Vyacheslav Stafeyev, Ivan Senin, and Ivan Kasyanenko, who were implicated in directing GRU cyber and hybrid threat operations. Additionally, Centre 16 of the Federal Security Service (FSB) was linked to disruptive sabotage activities targeting Poland’s energy grid in the previous year.

The U.K. government highlighted that the GRU’s Unit 29155 cyber division collaborated with cybercriminals, including the company IMPULS, to recruit hackers and cyber experts from various educational institutions in Russia.

The sanctions also target those responsible for Lumma Stealer, a tool that enables cybercriminals to gather sensitive data from compromised devices on a large scale. The stolen credentials obtained through Lumma Stealer were allegedly used by Russia for cyber espionage operations worldwide to support its strategic goals.

The European Union condemned Russia’s actions, emphasizing its misuse of the cyber environment to target public services and critical infrastructure, resulting in disruptions and financial harm. By holding Russia accountable for such activities, the EU underscores its commitment to promoting responsibility in cyberspace.

Russian State-Sponsored Cyber Operations Target Routers

The sanctions announcement coincides with a recent advisory issued by the U.S. Federal Bureau of Investigation (FBI) regarding the exploitation of poorly configured and vulnerable networking devices by FSB Center 16 cyber actors worldwide. These actors opportunistically hack into critical infrastructure sector networks by targeting inadequately protected routers.

See also  Digital Parasite: The Evolution of Ransomware and its Impact on Residency

The FBI highlighted that the Russian FSB Center 16 cyber actors primarily use scanning techniques to identify vulnerable networking devices, particularly routers, for exploitation. They exploit common vulnerabilities and exposures (CVEs) in Cisco devices like CVE-2018-0171 and CVE-2008-4128 to identify and exploit misconfigured networking appliances.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2008-4128 to its catalog of Known Exploited Vulnerabilities (KEV), mandating federal agencies to implement necessary fixes by July 16, 2026.

The threat actors associated with this campaign, known by various names such as Berserk Bear, Crouching Yeti, and Energetic Bear, have targeted networks across sectors like defense, communications, energy, finance, government, and healthcare. Cisco previously warned of active exploitation of CVE-2018-0171 in August 2025, urging prompt application of security patches.

The U.S. National Security Agency (NSA) emphasized that this ongoing issue has affected multiple networks in the U.S. and abroad, impacting critical infrastructure sectors and causing disruptions and financial losses.

Trending