The FBI has seized 39.9 bitcoins from an alleged affiliate of the notorious REvil ransomware group, which has been tied to illicit profits of more than $200 million. The seizure occurred 03 August 2021 and was reported on 30 November 2021 in a complaint for forfeiture filed by acting U.S. Attorney Chad E. Meacham in the U.S. District Court for the Northern District of Texas, backed by FBI Special Agent Joshua Jacobs. It says the funds were seized from an Exodus wallet, which refers to a piece of software that manages the private keys needed to access the addresses where cryptocurrency funds are being stored.
The Department of Justice says the funds are subject to civil forfeiture because they were gained via computer fraud, wire fraud, and money laundering. As of the filing, the value of the seized cryptocurrency was $2.3 million. Under U.S. federal law, the government must identify any defendant it believes could make a valid claim for the funds and attempt to notify them of the forfeiture. Any claimant would then have 21 days to file an answer to the complaint or file a motion.
The DOJ's civil forfeiture claim says "the individual reasonably appearing to the government, at this time, to be potential claimant to the defendant property," is Aleksandr Sikerin, aka Alexander Sikerin and Oleksandr Sikerin. His last known address is listed as being in St. Peterburg, Russia, and the government says his email address is firstname.lastname@example.org. Sikerin is accused of working as an affiliate of the REvil, aka Sodinokibi ransomware group.
"The offenses involved concern the ransomware variant is known as Sodinokibi/REvil," the court document states. "Between on or about April 2019, and July 2021, ransomware attacks across the United States, and elsewhere, were committed resulting in the receipt of over $200 million in ransom payments by Sodinokibi actors." The filing states that the seized cryptocurrency "constitutes, was derived from, and is traceable to ransomware attacks committed by Sikerin," and that the cryptocurrency "is also involved in and traceable to the money laundering conspiracy involving Sodinokibi ransom payments."
Short of arresting suspects, security experts say that disrupting the ransomware business model remains a needed intervention by police. "It is a good move by law enforcement to hit cybercriminals where it hurts by seizing their funds," says John Fokker, the principal engineer and head of cyber investigations for Advanced Threat Research at McAfee Enterprise.
The seizure of Silkerin's alleged bitcoins follows the DOJ having seized other stashes of cryptocurrency allegedly gained from ransom payments, including $6.1 million worth of bitcoins allegedly amassed by Russian national Yevgeniy Polyanin, 28, who remains at large. An indictment unsealed last month charges him with having run multiple REvil attacks. Reporters with the Daily Mail recently tracked Polyanin to his home in the Siberian city of Barnaul, where he's reportedly "living freely."
In November 2021, the Justice Department issued an extradition request for Russian national Denis Dubnikov, 29, who was arrested on 02 November 2021 by Dutch authorities after he was expelled from Mexico. The Wall Street Journal reports that the extradition request, which cites a sealed indictment, accuses Dubnikov of receiving in 2018 bitcoins worth $400,000 from attackers tied to the Ryuk ransomware operation.
Multiple security researchers state Sikerin the defendant named in the forfeiture complaint appears to be tied to activities carried out by a REvil affiliate known as Lalartu, which is the name of a ghostly, vampiric spirit in Sumerian legend.
Using open-source intelligence methods, security researcher Alon Gal in February 2020, for example, detailed on his Under the Breach blog finding that Lalartu was active both on Exploit.in hacking forum, as well as on Russian hacking forum BHF.io, with the usernames Protokol, Marka, and Eng_Fog. The latter parallels the "email@example.com" email address cited in the U.S. government's forfeiture complaint.
While that connection alone might appear to be circumstantial, multiple security experts have told Information Security Media Group that they believe Sikerin is Eng_Fog or Engfog, as well as Lalartu. Lalartu has a history. In 2019, security firm McAfee reported that Lalartu was an affiliate of Sodinokibi as well as its predecessor, GandCrab. It said Lalartu was then one of dozens of active Sodinokibi affiliates, and that he'd boasted in a cybercrime forum post of having earned $287,000 from his ransomware activities in just 72 hours.
Besides boasting of working with ransomware operations, Lalartu also sold access to hacked sites via Exploit.in, New York-based cyber intelligence firm Advanced Intelligence, aka AdvIntel, reported in 2019. Lalartu's specialty was using Cobalt Strike and Metasploit penetration frameworks, sometimes backed by stolen remote desktop protocol credentials, to breach sites and gain persistent, remote access to administrative panels and Active Domain controllers," Yelisey Boguslavskiy, director of research at AdvIntel, reported.
The U.S. government has not said how it identified or seized the cryptocurrency allegedly amassed by Sikerin. In the case of Polyanin, Deputy Attorney General Lisa Monaco told reporters last month only that the seizure was facilitated by "good, old-fashioned detective work," and that "we were able to recover ransom by following the money."
"The current multidisciplinary approach is showing some clear results and sends a powerful message that crime shouldn't pay," McAfee Enterprises' Fokker said.
Despite the timing of the Biden administration's ransomware-crackdown announcement, the latest seizures and arrests may date from efforts begun much earlier, says cybercrime expert Alan Woodward, who is a visiting professor in the University of Surrey's computer science department. "The general message about ransomware is that the law enforcement agencies have swung their big guns onto the subject," he says. "It takes to time to catch these criminals, so this is not a new focus as such, but is the culmination of strategic decisions made possibly two years ago."
The crackdowns and disruptions now coming to light demonstrate that "anyone involved" in any way with using or supplying or aiding and abetting anyone or anything in "the supply chain of ransomware is now a target for the law enforcement agencies," Woodward says.
The following is what Red Sky Alliance recommends:
- All data in transmission and at rest should be encrypted.
- Proper data backup and off-site storage policies should be adopted and followed.
- Implement 2-Factor authentication-company-wide.
- For USA readers, join and become active in your local Infragard chapter, there is no charge for membership. infragard.org
- Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.
- Institute cyber threat and phishing training for all employees, with testing and updating.
- Recommend/require cyber security software, services, and devices to be used by all at-home working employees and consultants.
- Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
- Ensure that all software updates and patches are installed immediately.
- Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories including Keyloggers, with having to connect to your network.
- Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the office directly at 1-844-492-7225, or firstname.lastname@example.org
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings