For a long time, they were considered almost impossible to catch: Hackers who extort money from their victims through ransomware. The police’s investigative successes against REvil now show that the fight against ransomware is not as hopeless as it seems.
Actually, “affiliates” are quite clearly defined in the net economy. Affiliates”, sometimes also called “partners”, are publicists who direct their readers or site visitors to the advertisers’ websites via “affiliate links” and then receive a commission when the readers become customers.
Affiliates are free advertising partners who do not earn money by broadcasting advertisements alone, but solely through commissions. The lucrativeness of affiliate programmes varies greatly. Some are excellent opportunities, especially for large websites, to make money from their work; others, on the other hand, only yield a few pennies at best.
Among the most lucrative affiliate programmes currently to be found are those of ransomware operators such as REvil. For several years now, ransomware authors have not bothered to get the malware onto other systems themselves, but rely on affiliates to do so.
These affiliates receive the software from the hackers. They infiltrate the victim’s systems – sometimes themselves through sophisticated hacking technologies, sometimes through plain spam emails – and upload the ransomware. If the victim then pays, they receive a share of the proceeds, usually 70-80 per cent. The authors of the ransomware, meanwhile, can put their feet up and watch the money roll in.
Million dollar wallet confiscated by affiliate
Recently, the US FBI has now gone after these affiliates. Namely, investigators got on the trail of a Russian citizen, Aleksandr Sikerin, who resides in Saint Petersburg
FBI Seizes Cryptocurrency Worth $2.3 Million From REvil Ransomware Group Affiliate | #malware | #ransomware#earegun
US law enforcement seized 39.9 Bitcoins from an Exodus wallet, worth approximately $2.3 million (roughly Rs. 17.3 crore) from a Russian citizen suspected of … pic.twitter.com/yyjGMQ4Y85
— Estiuck Al Regun (@earegun) December 6, 2021
The FBI accuses Sikerin of gaining unauthorised access to other computers, installing the REvil ransomware there and then laundering money. Based on this indictment, officials confiscated an Exodus Wallet from Sikerin that contained 39.9 Bitcoins, or about $2.3 million.
Sikerin, according to the indictment, is partly responsible for ransomware attacks that have resulted in ransom payments of about $200 million. In part, these ransom payments can be linked to Sikerin’s wallet, which is now under FBI control.
Exactly how the FBI managed to take possession of “an Exodus wallet” is still unclear. Exodus is a wallet for desktop computers and mobile devices. It has been or is under criticism because not all parts of the code are open source, but it is rather unlikely that the wallet contains a backdoor so extensive that the US government can confiscate money at the push of a button. More likely is access either through confiscation of devices or a hack.
An international strike against REvil
The wallet may also have been part of a wider seizure a month ago. Earlier in November, the US Department of Justice had charged a Ukrainian and a Russian with being behind one of the worst ransomware attacks on Americans.
Specifically, it was the attack on the software provider Kaseya in July by the REvil ransomware. Because its software is in numerous systems, the attack went around the world. Thousands of companies were affected, including, for example, all the koops in Sweden.
Supply chain attacks continue to have a widespread impact and this is an example of how deep they can go.
800 supermarkets closed because of their POS provider’s MSP’s software provider experiencing a ransomware attack.
= A mouthful of supply chain risk. https://t.co/EdtrZF6Z0U
— Sandeep Kumar (@deepsand) July 3, 2021
Ukrainian Yaroslav Vasinsky was arrested in Poland in October of that year. He and his Russian colleague Yevgeny Polynin are accused of breaking into victims’ computers and installing the REvil ransomware. Unlike Vasinskij, Polynin is still at large.
In the course of these investigations, US authorities have confiscated Bitcoins and Monero worth more than six million dollars, which go back to ransom payments. In addition to the FBI, Europol and other police agencies were also involved.
According to Europol, two more defendants were arrested in Romania in early November for distributing REvil ransomware, and officials in South Korea confirmed they had arrested three suspects. In total, investigators pursued 12 suspects accused of being responsible for ransomware attacks in 71 countries.
Not a perfect crime though
For a long time, ransomware was considered a “perfect crime” because it seemed almost impossible to track down the perpetrators. Now the tide seems to be slowly turning. At least the investigative successes against REvil speak for this.
One reason for this might be that the ransomware hackers have gone too far. The hack of a celebrity law firm was already reason enough for the US government to speak of “cyberterrorism”; the ongoing attacks on city administrations, hospitals and universities have probably exhausted the patience of the authorities; the hack of the Colonial Pipeline as well as Kasey were the straw that broke the camel’s back.
Bitcoin and the Darknet are forcing law enforcement around the world to collaborate supranationally. We already know this from sometimes spectacular successes against darknet marketplaces. Now the police are consistently using the resources and competences they have built up in this process in the fight against ransomware.
In addition, a change in strategy also seems promising. Kimberly Goody, director of the security firm Mandiant, explained that it could be more promising to take action against affiliates than against the core of the ransomware gang. This is because not only are affiliates closer to the scene of the crime – they, not the ransomware authors hack the computers – but they are often less careful and “their skills are more in demand than encryption software”. Some affiliates also work for multiple gangs. So it could be that it’s not so much the software developers but the affiliates who are the bottlenecks of the ransomware economy.
In fact, it seems hard to get to the creators of the software itself. The makers of REvil already withdrew in the summer after Colonial Pipeline was hacked. Presumably they realised that a line had been crossed with this.
