Russian cybercrime suspect arrested in $1M ransomware conspiracy

russian background

by Paul Ducklin

Here’s a cybercrime conspiracy story with a difference.

When we write about network-wide ransomware attacks where a whole company is blackmailed in one go, two burning questions immediately come up:

  • How much money did the crooks demand?
  • Did the victim pay up?

The answers vary, but as you have probably read here on Naked Security, modern ransomware criminals often use a two-pronged extortion technique in an attempt to maximize their asking price.

First, the cyber criminals steal a trove of company files that they threaten to make public or to sell on to other cyber criminals; then they scramble the data files on all the company’s computers in order to bring business to a halt.

Pay up the blackmail money, say the cyber hackers, and they will not only “guarantee” that the stolen data will never be passed on to anyone else, but also provide a decryption program to reconstitute all the scrambled files so that business operations can resume.

Recent reports include an attack on fitness tracking company Garmin, which was allegedly blackmailed for $10m and did pay up, though apparently after wangling the amount down into the “multi-million” range; and on business travel company CWT, which faced a similar seven-figure demand and ended up handing over $4.5m to the criminals to get its business back on the rails.

In contrast, legal firm Grubman Shire Meiselas & Sacks faced a whopping $42m ransomware extortion demand but faced it down, likening the crooks to terrorists and refusing to pay a penny.

More recently, US liquor giant Brown-Forman took a similar stance, refusing to deal with criminals after its network was infiltrated.

The third question

Of course, there’s a third question, one that isn’t quite as dramatic as “How much?”, but that is way more important:

  • How did the crooks get in to start with?

There are lots of possible answers to that one, including: by using exploits against unpatched software bugs; by sending infected attachments in phishing emails; by luring employees to fake login pages to steal passwords; by using existing malware in the network to download and deploy the ransomware program; by finding unprotected remote access portals such as RDP or SSH

…or by getting insider help.

And that’s what happened – or so the US Department of Justice (DOJ) alleges – in a recent cybercrime misadventure in Reno, Nevada.

According to federal criminal charges filed this week, the DOJ claims that a certain Egor Igorevich Kriuchkov of Russia not only planned a malware attack against a US company, but also travelled in person to America to negotiate with an employee of the company to implant the malware and thus initiate the attack.

Old meets new

In a fascinating mix of old-school face-to-face techniques and new-wave cybercriminality, Kriuchkov, who is 27 years old, is alleged to have set up a meeting via WhatsApp, then travelled to San Fransisco and driven on to Reno in Nevada to talk to an unnamed employee of his planned victim company to propose a “special project”.

Acting on behalf of unnamed co-conspirators, presumably safely back in Russia where (if they are Russian citizens) they have constitutional protection against extradition, Kruichkov is supposed to have dangled a million-dollar carrot in front of the insider in return for them helping to perpetrate the crime.

The court filing claims that the insider would have been expected to provide information relevant in tailoring the attack to the victim’s network, and then to connect up and run the malware to infect the network.

In return, Kriuchkov promised the insider a cool $1,000,000.

No details are given in the affidavit about what network intelligence the insider was expected to come up with, but you can probably imagine lots of details that would be valuable to attackers, including: lists of computer and server names; network diagrams including internal IP numbering, firewall setup and VLAN configuration; any security software installed; usernames and working hours; IT staff and shift patterns; and much more.

Apparently, while the malware was being unleashed from inside the network, Kruichkov – presumably back in Russia at this point – and his co-conspirators were planning to launch a “decoy” attack from outside, thus distracting the company’s IT team from the more serious problem unfolding internally.

The charge sheet doesn’t make any mention of file scrambling in the plans, claming merely that:

The co-conspirators would engage in a Distributed Denial of Service Attack to divert attention from the malware.

The malware would allow the conspirators to extract data from Victim Company A’s network.

Once the data was extracted, the conspirators would extort Victim Company A for a substantial payment.

The conspiracy comes unstuck

Whatever Kruichkov was after, things didn’t work out.

The insider contacted the authorities, and the authorities, it seems, tried to contact Kruichkov.

According to the FBI, Kruichkov then drove 800km from Reno to Los Angeles overnight, presumably in the hope of flying directly out of the USA before the net closed in.

But he didn’t make it and was arrested in Los Angeles.

What to do?

We’re assuming – if these allegations turn out to be well-founded – that the crooks would have included a file-scrambling component in their extortion malware, just because they could, and because it would almost certainly have made a bad thing worse if it worked.

But it’s important to note that this conspiracy seems to have existed on the basis of being able to extort money from the victim through stolen data alone.

In other words, cyberextortion crimes involving ransomware no longer need to rely on what would be the very last part of a traditional attack.

Cybercriminals seem to be confident there are millions to be made even if they fail at (or don’t bother with) that final file-scrambling step.

So, as we’ve said many times before, prevention is way better than cure; and earlier prevention is better yet.

We’ve often advised you to set up a single point of cybersecurity contact for all your staff, whether by phone or email, with the aim of turning everyone in the company into the eyes and ears of your IT security team.

In this case, a timely warning not only headed off the attack but also led to the arrest of a suspect.

AKAVEIL Technologies is home to industry experts who offer consulting, design, implementation, maintenance, and support services.  We can work with you at any level necessary to improve your business in the achievement of its goals. As a Sophos partner we possess experience and understanding of the various products and license plans. We work directly with each business as a trusted advisor to assess and recommend the best fit products and services now and scalable into the future. Remain competitive and grow your business with AKAVEIL.

AKAVEIL Security Services: