Quiz 1P — Ransomware Group Prosecutions: DOJ Disruption Operations | LawZeee

Question 1

Yaroslav Vasinskyi was a REvil affiliate who deployed ransomware against Kaseya and approximately 2,500 other victims. He was arrested in Poland and extradited to the United States. What sentence did he receive in January 2024?

A5 years and $2 million in restitutionB10 years and $10 million in restitutionC13 years 7 months and $16 million in restitutionD20 years and $70 million in restitution

Question 2

No DarkSide operators have ever been convicted in U.S. courts following the Colonial Pipeline attack. Which of the following best explains why the absence of arrests does not mean the government did nothing?

AThe government settled the case civilly and collected penalties from DarkSide's insurersBThe FBI recovered approximately $2.3 million of Colonial's Bitcoin payment using a court-authorized wallet seizure under 21 U.S.C. § 853 without any in-custody defendantCThe government declined to prosecute because Colonial Pipeline paid the ransom voluntarilyDDarkSide was located in a country with an active extradition treaty, so charges are pending trial

Question 3

The Conti ransomware group's internal structure was exposed in February 2022 when approximately 60,000 internal chat messages and source code were leaked. What triggered the leak?

AAn FBI undercover operation penetrated Conti's affiliate panelBA disgruntled Conti developer sold the data to a blockchain analytics firmCAn anonymous Ukrainian security researcher leaked the data following Russia's invasion of UkraineDOFAC obtained the data as part of a sanctions enforcement proceeding

Question 4

Mikhail Matveev, also known as Wazawaka, was indicted in May 2023 for his role as an affiliate for Conti, LockBit, and Hive. The State Department offered $10 million for information leading to his arrest. What is his current status?

AIn custody at a federal detention center in New Jersey awaiting trialBExtradited from Belarus and awaiting sentencing in the Eastern District of MichiganCAt large in Russia; has publicly acknowledged the indictment on social mediaDServing 15 years in a German prison after European arrest warrant execution

Question 5

Operation Cronos in February 2024 seized LockBit's infrastructure and unmasked its administrator as Dmitry Yuryevich Khoroshev. Which of the following was NOT part of the operation's publicly documented actions?

ASeizure of LockBit's leak site and affiliate panelBPublication of LockBit's own negotiation chat logs on the seized site as a deterrence tacticCObtaining a guilty plea from Khoroshev in a U.S. district courtDOFAC designation of Khoroshev and a $10 million State Department reward

Question 6

ALPHV/BlackCat suffered an FBI disruption operation in December 2023. After the FBI seized its leak site and distributed decryption keys to approximately 500 victims, ALPHV demonstrated the ceiling of the disruption model by doing what?

APermanently dissolving after law enforcement published its source codeBTemporarily unseizing its own Tor site (demonstrating that retaining the underlying keys allows reconstitution) before subsequently appearing to dissolveCFiling a legal challenge in U.S. federal court to contest the seizureDNegotiating a partial surrender of cryptocurrency holdings in exchange for immunity

Question 7

An incident response team learns their client was attacked by Evil Corp, which has been OFAC-sanctioned since December 2019. The client wants to pay the ransom immediately. Under OFAC's strict liability framework, which of the following is most accurate?

AVictims are always exempt from OFAC liability because they are the injured partyBA civil penalty of up to $1,078,017 per violation can apply even if the victim did not know Evil Corp was sanctioned, because civil OFAC liability does not require intentCOFAC liability only triggers if the ransom exceeds $1 millionDOnly the cryptocurrency exchange processing the payment faces OFAC liability, not the victim company

Question 8

Under the Ransomware-as-a-Service (RaaS) model, Alla Witte was a Trickbot/Conti malware developer who wrote code for the ransomware module but did not personally conduct attacks against victims. What was the legal outcome of her prosecution?

ACharges were dismissed because she never directly accessed victim systemsBShe was acquitted because the CFAA requires proof that the defendant deployed the malwareCShe pleaded guilty to conspiracy to commit computer fraud and was sentenced to 32 months, establishing that writing ransomware components creates CFAA conspiracy exposureDShe received civil immunity in exchange for cooperation and was not criminally charged

Question 9

A healthcare company receives a ransomware demand and, before paying, screens the attacker against the OFAC SDN list. The group is not listed. The company pays $22 million. Three months later, the group is added to the SDN list. Which of the following best describes the company's OFAC exposure at the time of payment?

AThe company has full OFAC liability because they should have anticipated the future designationBThe payment occurred before designation, so OFAC strict liability does not apply to that transaction — OFAC sanctions run from the designation date forwardCThe company must immediately return the decryption key to CISA to avoid retroactive liabilityDThe company is liable for criminal penalties because they failed to monitor SDN list updates in real time

Question 10

The DOJ's "disruption model" for ransomware treats indictment as a pressure tool rather than a conviction pipeline. Which of the following best describes what an indictment without an in-custody defendant practically accomplishes?

ANothing — an indictment has no legal effect unless the defendant is present in a U.S. courtroomBIt triggers Interpol Red Notices, freezes access to the international banking system via correspondent banking restrictions, and bars travel to extradition-treaty countries — imposing operational costs without requiring a courtroomCIt automatically seizes all cryptocurrency wallets associated with the defendant's known addressesDIt permanently prevents the defendant from operating a ransomware group by blocking their internet access through international agreements