Russian ransomware companies in hiding in plain sight
MOSCOW – When cyber detectives tracked down the millions of dollars that US businesses, hospitals and municipalities paid to online extortionists as ransom, they made a revealing discovery: At least some went through one of the business addresses most prestigious in Moscow.
The Biden administration also focused on the building, Federation Tower East, the tallest skyscraper in the Russian capital. The United States has targeted several companies in the tower as it seeks to penalize Russian ransomware gangs, which encrypt their victims’ digital data and then demand payments to decrypt it.
These payments are typically made in cryptocurrencies, virtual currencies like Bitcoin, which gangs then have to convert into standard currencies like dollars, euros, and rubles.
The fact that this skyscraper in Moscow’s financial district has become an apparent hub of such money laundering has convinced many security experts that Russian authorities tolerate ransomware operators. The targets are almost exclusively outside Russia, they point out, and in at least one case documented in a US sanctions announcement, the suspect was helping a Russian spy agency.
“That says a lot,” said Dmitri Smilyanets, a threat intelligence expert at Massachusetts-based cybersecurity firm Recorded Future. “Russian law enforcement usually has an answer: ‘There is no open case in Russian jurisdiction. There are no casualties. How do you expect us to prosecute these honorable people? “
Recorded Future has counted around 50 cryptocurrency exchanges in the city of Moscow, a financial district of the capital, which it estimates are engaged in illicit activity. Other neighborhood exchanges are not suspected of accepting crime-related cryptocurrencies.
Cybercrime is just one of many issues fueling tensions between Russia and the United States, along with the strengthening of the Russian military near Ukraine and a recent migrant crisis on the Belarusian-Polish border. .
The Treasury Department has estimated that Americans have paid $ 1.6 billion in ransoms since 2011. A Russian ransomware strain, Ryuk, made around $ 162 million last year by encrypting the computer systems of American hospitals for pandemic and demanding a fee to publish the data, according to Chainalysis, a cryptocurrency transaction tracking company.
The attacks on hospitals shed light on the burgeoning criminal ransomware industry, based primarily in Russia. Criminal syndicates have become more efficient and brazen in what has become a treadmill-like process of hacking, encryption, and then ransom negotiation in cryptocurrencies, which can be held anonymously.
At a summit meeting in June, President Biden urged Russian President Vladimir V. Putin to crack down on ransomware after a Russian gang, DarkSide, attacked a major east coast oil pipeline, Colonial Pipeline, disrupting supply and creating lines at gas stations. .
U.S. officials are naming people like Maksim Yakubets, a skinny 34-year-old man with a pompadour haircut whom the United States has identified as a mainstay of a major cybercrime operation calling himself Evil Corp. Cyber security analysts have linked his group to a slew of ransomware attacks, including one last year targeting the National Rifle Association. US sanctions announcement accused Yakubets of also aiding Russia’s Federal Security Service, the KGB’s main successor
But after the State Department announced a $ 5 million bounty for information leading to his arrest, Yakubets appeared only to display his impunity in Russia: he was pictured driving in Moscow in a Lamborghini partially painted in fluorescent yellow.
The alleged cryptocurrency exchange cluster in Federation Tower East, first reported last month by Bloomberg News, further illustrates how the Russian ransomware industry is hiding in plain sight.
The 97-story glass and steel skyscraper atop a bend in the Moscow River stands in plain view of several government departments in the financial district, including the Russian Ministry of Digital Development, Signals and Mass Communications.
Two of the Biden administration’s most forceful actions to date targeting ransomware relate to the tower. In September, the Treasury Department imposed sanctions on a cryptocurrency exchange called Suex, which has offices on the 31st floor. He accused the company of laundering $ 160 million in illicit funds.
In an interview at the time, Suex founder Vasily Zhabykin denied any illegal activity.
And last month, Russian media reported that Dutch police, using a US extradition warrant, arrested the owner, Denis Dubnikov, of another company called EggChange, with an office on the 22nd floor. In a statement released by one of his companies, Dubnikov denied any wrongdoing.
Ransomware is attractive to criminals, cybersecurity experts say, because attacks mostly take place anonymously and online, minimizing the chances of getting caught. It has evolved into a sprawling, highly compartmentalized industry in Russia known to cybersecurity researchers as “ransomware as a service.”
The organizational structure mimics franchises, like McDonald’s or Hertz, which lower barriers to entry, allowing less sophisticated hackers to use established business practices to enter the business. Several high profile gangs are developing software and promoting creepy brands, such as DarkSide or Maze, to intimidate businesses and other organizations that are targets. Other groups that are only loosely related hack into computer systems using the brand and franchise software.
The growth of the industry has been aided by the rise of cryptocurrencies. This made the old-school silver mules, which sometimes had to smuggle money across borders, all but obsolete.
Laundering cryptocurrency through exchanges is the last step, and also the most vulnerable, as criminals must leave the anonymous online world to appear at a physical location, where they exchange Bitcoin for cash or deposit it. in a bank.
Foreign exchange bureaus are “the end of the Bitcoin ransomware rainbow,” said Gurvais Grigg, a former FBI agent who is a researcher at Chainalysis, the cryptocurrency tracking firm.
Computer codes in virtual currencies make it possible to track transactions from one user to another, even if the identities of the owners are anonymous, until the cryptocurrency reaches an exchange. There, in theory, the records should tie the cryptocurrency to a real person or business.
“They are really one of the key points of the whole ransomware strain,” Grigg said of the bureau de change. Ransomware gangs, he said, “want to make money. And until you’ve withdrawn it and obtained it through a withdrawal point exchange, you can’t spend it.
It is at this stage, according to cybersecurity experts, that the criminals must be identified and apprehended. But the Russian government has allowed the exchange to flourish, saying it will only investigate cybercrime if Russian laws are broken. Regulations are a gray area in Russia, as elsewhere in the nascent cryptocurrency trading industry.
Russian cryptocurrency traders claim that the United States places an unfair burden of due diligence on its businesses, given the rapidly changing nature of regulations.
“The people who are real criminals, who create ransomware, and the people who work in the city of Moscow are completely different people,” said Sergei Mendeleyev, founder of a Federation Tower East-based trader Garantex in an interview. Russian crypto exchanges, he said, have been blamed for crimes they are not aware of.
Mr Mendeleyev, who is no longer with the company, said the US cryptocurrency tracking services provide data to non-Russian exchanges to help them avoid illicit transactions, but have refused to work with Russian traders. , in part because they suspect that traders might use the information. to warn criminals. This complicates the efforts of Russian companies to eradicate illegal activities.
He admitted that not all Russian exchanges have tried very hard. Some based in Moscow’s financial district were little more than a desk, a safe filled with cash and a computer, he said.
At least 15 cryptocurrency exchanges are based in Federation Tower East, according to a list of construction companies compiled by Yandex, a Russian mapping service.
In addition to Suex and EggChange, companies targeted by the Biden administration, cyber researchers and an international cryptocurrency exchange company have reported two other tenants of buildings they suspect of illegal activity involving Bitcoin.
Building manager, Aeon Corp., did not respond to inquiries about the exchanges at its offices.
Like the banks and insurance companies with which they share space, these companies likely chose the site for its status and the strict security of its buildings, said Mr Smilyanets, a researcher at Recorded Future.
“The skyscrapers of the city of Moscow are very chic,” he said. “They can post on Instagram with these beautiful views, these beautiful skyscrapers. This strengthens their legitimacy.