On September 28, Europol and FBI together with Ukrainian Cyber Police and French National Gendarmerie (Gendarmerie Nationale) captured the ransomware distributors. Net loss caused by their actions exceeded $2 million.
Arresting the ransomware gang: how it happens
In Kyiv, the capital of Ukraine, the Ukrainian Cyber Police successfully captured the cybercriminal who worked in a ransomware distribution chain of the REvil ransomware family. Exactly, he was a part of a Ransomware-as-a-Service scheme, where the malware developers do not touch the exact distribution campaign. They just sell the source code of their virus to the third party, asking for the initial payment and for commission for each successful attack.
This exact man was pretty successful in his cyber burglar career. As he said to executive authorities during the interrogation, his counter of attacked companies exceeded 100, and the average ransom amount was between €5 million and €70 million. During the capturing procedure, Ukrainian executive authorities seized two luxury cars with a total worth of $252,000, $375,000 in cash, and froze the cryptocurrency wallets with a total balance of $1.3 million.
Interesting details about fraudsters’ activity
The majority of attacks commenced by that group were aimed at North American and European companies. As we assumed in our article about how ransomware groups search for their targets, these regions are the primary targets for the majority of groups because of the amount of profitable business. These companies can pay the ransom, and mostly ignore the key security rules. In particular, this ransomware operator was spreading ransomware through the RDP exploits as well as via email spamming. Both of these spreading methods are very popular among ransomware groups.
Besides the operator, the Ukrainian Cyber Police also captured a man who helped this operator1 to exchange the cryptocurrencies on cash (UAH, EUR or USD). Ukraine intends to implement cryptocurrencies on a governmental level, just like El Salvador did. But they cannot even imagine which amounts of stolen money will be then transferred through those cryptos. This “exchanger” will likely get his term in prison for aiding the criminals and having money laundering.
Capturing the single distributor, despite the fact that it is pretty successful, will not bring a lot of effects on REvil. The RaaS scheme supposes a great number of crooks employed as operators. Hence, cutting a single head will not cause this Hydra death. Sounds naive, but I hope that this guy will interact with the investigation and help to catch all other distributors. REvil is also famous for their “chief” – a Russian guy who does not even hide his criminal life. He owns a luxury car with the word “ВОР” (Russian for “thief”) on his number plate. Russian Federal Security Service (a.k.a. “ФСБ”) does not capture him thanks to the bribes he gives to them.
User Review( votes)
- Article on the Ukrainian media resource regarding the capturing.
I hope they will do the same thing to the gang behind STOP/DJVU ransomware family as it continues to spread like cancer. Good job!