Cybercrime , Cybercrime as-a-service , Fraud Management & Cybercrime
Russia Announces Arrest of Medibank Hacker Tied to REvil
3 Suspects Charged With Using Sugar Ransomware, Phishing Attacks Against RussiansNot for the first time, Russian authorities have busted Russian nationals accused of using malicious code against domestic targets. The U.S. and other countries also have tied at least one of the suspects to the massive 2022 hack attack against one of Australia's largest private health insurers, Medibank, although that doesn't appear to have been a factor in Russia's arrests.
See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk
Russian police arrested three men, including Aleksandr Nenadkevichite Ermakov, last month on charges of violating Article 273 of the country's criminal code, which prohibits creating, using or disseminating harmful computer code, said Russian cybersecurity firm F.A.C.C.T.
The firm, according to a machine translation, said "the attackers worked under the guise of a legal IT company offering services for the development of landing pages, mobile applications and online stores." That company was called Shtazi-IT.
The Russian Ministry of Internal Affairs' Bureau of Special Technical Events reportedly also accused the three suspects of being members of the ransomware-as-a-service operation called SugarLocker, aka Sugar or Encoded01, which first appeared at the beginning of 2021 and picked up steam in November 2021. Unlike many ransomware operations that focus on hitting businesses, Sugar-wielding affiliates targeted individuals and perhaps also very small businesses, said cybersecurity firm Malwarebytes.
F.A.C.C.T. said it had contributed cybercrime intelligence used in the ongoing investigation, which is being led by the Bureau of Special Technical Events. Cybersecurity firm Group-IB, which changed its headquarters from Moscow to Singapore in 2019, fully divested its Russian operations in April 2023 by selling them to local management, which now operates as F.A.C.C.T.
Medibank Hacking Suspect
The arrest announcement is notable in part because Australia, the U.S. and the U.K. last month sanctioned Ermakov - aka GustaveDore, JimJones and Blade Runner - for perpetrating numerous hack attacks. Those include attacking and extorting Australia's Medibank for $10 million, which the bank refused to pay. Declaring "case closed," the hackers then dumped stolen information pertaining to 9.7 million current and former Medibank customers.
According to F.A.C.C.T., Russian authorities didn't name the three arrested suspects, but they said one of them had used the aforementioned aliases.
U.S. officials last month said evidence suggested Ermakov and his alleged Medibank accomplices also had links "to the Russia-backed cybercrime gang REvil." That ransomware-as-a-service group, also known as Sodinokibi, was formed from the ashes of the Maze operation and raged from April 2019 until early 2021. Multiple law enforcement agencies definitively knocked it offline in July 2021.
Cybersecurity firm Intel 471 last month reported that stolen Medibank data had been posted on a blog formerly controlled by REvil, "although the connection wasn't clear at the time" between Ermakov and that ransomware group. "This makes sense in retrospect, as Ermakov's group had also been a REvil affiliate," the firm said.
SugarLocker appears to have ramped up operations as REvil was dying.
Coincidence or otherwise, the Russian arrest announcement arrived on the heels of a coalition of 11 Western law enforcement agencies announcing the disruption of the Russian-speaking ransomware group LockBit's infrastructure and making arrests and indictments. Western law enforcement agencies reportedly told LockBit affiliates they had infiltrated the ransomware group's infrastructure because it failed to patch a known vulnerability in its web panel for affiliates. The group's leadership persona, LockBitSupp, confirmed that the disruption appeared to trace to a PHP flaw he had failed to patch.
Investigators Exploited Flaw in SugarLocker Server
A similar error appears to have led to the shutdown of the SugarLocker operation. F.A.C.C.T. said that in January 2022 its researchers had identified a web server configuration flaw in SugarPanel, the ransomware group's control panel for affiliates, and had gained access to the infrastructure, which was being hosted on a Russian server.
F.A.C.C.T. collected digital forensic evidence that suggests multiple SugarLocker operators weren't just developing the ransomware for affiliates "but also developing custom-made malicious software, creating phishing sites for online stores, and driving user traffic to fraudulent schemes popular in Russia and the CIS." The CIS is the Commonwealth of Independent States, which comprises Russia and 11 neighboring states.
Legal experts say Russia's computer laws only outlaw computer crime that affects Russians. The country also never extradites its citizens, whatever charges they might face abroad. Hence Russia-based individuals accused of computer crimes abroad typically seem to operate with impunity, which is one reason why arresting many alleged ransomware masterminds remains challenging.
All bets are off if suspects facilitate or directly attack Russians or citizens of fellow CIS countries (see: Russia's Cybercrime Rule Reminder: Never Hack Russians).
Even so, Russian authorities busting alleged ransomware operators remains rare. One exception happened in January 2022, when Moscow reported detaining 14 alleged midlevel members of REvil, based in part on U.S. intelligence. The group's hits included a supply chain attack on software vendor Kaseya as well as disrupting the world's largest meat processor, JBS.
Security watchers questioned Moscow's motivations, especially as the country was massing troops on Ukraine's border and pummeling the country with cyber operations. Following President Vladimir Putin ordering an all-out invasion in February 2022, any Russian intentions - genuine or otherwise - to combat ransomware appear to have dissipated.