Analysis of Counter-Ransomware Activities in 2024

-

 


The scourge of ransomware continues primarily because of three main reasons: Ransomware-as-a-Service (RaaS), cryptocurrency, and safe havens.

  • RaaS platforms enable aspiring cybercriminals to join a gang and begin launching attacks with a support system that help extract ransom payments from their victims.
  • Cryptocurrency enables cybercriminals to receive funds from victims around the world without the option to freeze or refund them due to the immutable nature of the virtual funds.
  • Safe havens are countries that permit cybercriminals to launch attacks without immediate fear of arrest, enabling them to earn vast fortunes through ransomware campaigns.

With these three challenges in mind, law enforcement and governments have a very difficult job to do when it comes to fighting ransomware but fight it they must. In this blog we shall recall what counter-ransomware activities took place in 2024, analyse their effectiveness, and assess how the landscape shall evolve as a result.

Ransomware Operator Arrests and Sanctions

During 2024, there were significant disruption operations by law enforcement and financial authorities targeting individuals behind ransomware campaigns (see the Table below). The main focus of 2024 for Western law enforcement was squarely on the LockBit RaaS and its affiliates as it was the largest and highest earning ransomware operation to date.

Several key players of the ransomware ecosystem were arrested, including the main developer of LockBit ransomware. Interestingly, Russian law enforcement also decided to arrest ransomware threat actors located in Moscow and Kaliningrad as well.

Law Enforcement Activity
Month Group(s) Law Enforcement Activity
February 2024 SugarLocker, REvil Russian authorities have identified and arrested three alleged members in Moscow of a ransomware gang called SugarLocker.
February 2024 LockBit The LockBit leak site was seized. Two LockBit affiliates were arrested in Poland and Ukraine. Up to 28 servers belonging to LockBit were taken down.
February 2024 LockBit Two Russian nationals, Ivan Kondratiev and Artur Sungatov, were sanctioned by the US Treasury for being affiliates of LockBit, among other RaaS.
May 2024 LockBit Dmitry Khoroshev, the administrator and developer of LockBit was sanctioned by the US Treasury.
May 2024 IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee, TrickBot European police took down malicious spam botnets that support ransomware campaigns. This resulted in 4 arrests (1 in Armenia and 3 in Ukraine), over 100 servers and 2,000 domains being seized. One of the main suspects earned €69 million by renting out infrastructure sites to deploy ransomware.
June 2024 Conti, LockBit A Ukrainian national was arrested for supporting Conti and LockBit ransomware attacks as a crypter developer.
August 2024 Reveton, RansomCartel Maksim Silnikau, a Belarusian national, was arrested in Spain for running Reveton and RansomCartel.
August 2024 Karakurt, Conti Deniss Zolotarjovs, a Latvian national was arrested and extradited to the US from Georgia for running the Karakurt data extortion gang linked to Conti.
October 2024 Evil Corp, LockBit The UK, alongside the US and Australia, has sanctioned 16 members of Evil Corp, including Aleksandr Ryzhenkov, Viktor Yakubets, and Eduard Benderskiy.
November 2024 Phobos Evgenii Ptitsyn, a Russian national, was arrested and extradited to the US from South Korea for running the Phobos ransomware gang.
December 2024 LockBit Rostislav Panev, a dual Russian and Israeli national, was arrested in Israel for developing LockBit ransomware.
December 2024 LockBit, Babuk, Hive Mikhail “Wazawaka” Matveev was arrested in Russia for violating domestic laws against the creation and use of malware. He was fined and had his cryptocurrency seized and is awaiting trial.

The ransomware ecosystem has fragmented due to the law enforcement disruptions of the largest players, such as ALPHV/BlackCat and LockBit. In the case of ALPHV/BlackCat, the operators staged a law enforcement takedown as they put up a fake seizure notice as part of an exit scam in March 2024 after the attack on UnitedHealth.

Following these disruptions, some affiliates have migrated to less effective strains or launched their own strains. This includes Akira and RansomHub at the top of the list as well as Hunters International and PLAY.

Cryptocurrency Exchanges Disrupted

During 2024, law enforcement seized funds from and sanctioned a number of cryptocurrency exchanges and individuals running payment processors using cryptocurrency (see the Table below).

One of the most interesting disclosures this year came from the UK National Crime Agency (NCA) around Operation Destablise. The NCA linked payments to ransomware gangs to money laundering networks used by Russian oligarchs to covertly purchase property and Russia Today, the state-run media organization, to covertly fund pro-Russia foreign entities.

Another notable investigation in 2024 was when the US Treasury sanctioned more Russian cryptocurrency exchanges, such as PM2BTC and Cryptex, that led to money launderers that facilitate the cashing out of ransom payments being arrested by Russian law enforcement.

Law Enforcement Activity
Month Exchange(s) Law Enforcement Activity
August 2024 Cryptonator The US Justice Department indicted Russian national Roman Pikulev and Cryptonator, which processed a total of $1.4 billion in transactions, of which $8 million were ransom payments. Cryptonator also has ties to other sanctioned entities including Blender, Hydra Market, Bitzlato, and Garantex, among others.
September 2024 PM2BTC, Cryptex, UAPS FinCEN identified PM2BTC as being of “primary money laundering concern” in connection with Russian illicit finance. This was alongside Cryptex and Sergey Sergeevich Ivanov, a Russian national, who is associated with UAPS and PinPays, as well as Genesis Market. Cryptex also facilitated more than $115 million of proceeds from ransomware payments.
September 2024 47 exchanges In Operation Final Exchange, German federal police (BKA) shut down 47 cryptocurrency exchange services that ransomware gangs use that operated without requiring registration or identity verification.
October 2024 Cryptex, UAPS Russian authorities have arrested nearly 100 suspected cybercriminals linked to the anonymous payment system UAPS and the cryptocurrency exchange Cryptex.
November 2024 Smart, TGR Group The NCA uncovered a Russian money-laundering network operated by two companies called Smart and TGR Group as part of Operation Destabilise that involved UK-based cash-to-crypto networks that laundered Ryuk ransom payments as well as the money of Russian oligarchs and Russia Today.

Safe Havens Enabling Ransomware

While ransomware is a global problem, there are only a few countries that are to blame for this rapid expansion of the ransomware ecosystem. The state that is blamed the most for preventing many ransomware operators from facing justice is Russia. There are explicit rules posted to Russian-speaking cybercrime forums that state as long as members avoid targeting Russia and the Commonwealth of Independent States (CIS), they are free to operate.

The Russian ransomware safe haven theory was further proven following sanctions levied against Evil Corp by the UK, US, and Australia. One of the sanctioned men connected to Evil Corp was Eduard Benderskiy, a former Russian federal security service (FSB) official. Benderskiy is reportedly the father-in-law of Maksim Yakubets, the leader of Evil Corp, an organized cybercrime group responsible for multiple ransomware strains including BitPaymer, WastedLocker, Hades, PhoenixLocker, and MacawLocker. In total, Evil Corp has reportedly extorted at least $300 million from victims globally, according to the UK NCA. It is now clear that Evil Corp has protection from a highly connected Russian FSB official who has also been involved in multiple overseas assassinations on behalf of the Kremlin, according to Bellingcat investigators.

While a number of ransomware operators were arrested in 2024 and some were extradited to the US, the work done by law enforcement specializing in cybercrime was put in the spotlight during the August 2024 prisoner swap. Multiple countries decided to release cybercriminals, spies and an assassin as part of a historic prisoner exchange with Russia at an airport in Ankara, Turkey. The US negotiated the release of 16 people from Russia, including five Germans as well as seven Russian citizens who were political prisoners in their own country.

Notably, from a cybercrime intelligence perspective, the Russian nationals released from the West included the infamous cybercriminals Roman Seleznev and Vladislav Klyushin. The latter, Klyushin, was sentenced in 2023 to nine years in US prison after he was caught in a $93 million stock market cheating scheme that involved hacking into US companies for insider knowledge. The other cybercriminal, Seleznev, was sentenced to 27 years in prison in 2017 for stealing and selling millions of credit card numbers from 500 businesses using point-of-sale (POS) malware and causing more than $169 million in damage to small businesses and financial institutions, including those in the US.

In 2024, we saw several more Russian nationals get extradited to the US after being arrested by law enforcement in the country they were residing in. This includes the Phobos operator living in South Korea and the LockBit developer living in Israel. This follows others arrested in previous years such as a TrickBot developer arrested in South Korea as well as the two LockBit affiliates extradited to the US. There is a potential that these Russian nationals involved in ransomware could be used in prisoner exchanges in the future.

Further, another curious trend in 2024 was that some Russians inside Russia, which is firmly considered a safe haven for ransomware gang, did get arrested. This includes the SugarLocker operators arrested in Moscow and the LockBit affiliate Wazawaka who was arrested in Kaliningrad. This is alongside the money launderers arrested around Russia linked to the Cryptex exchange.

The arrests of Russian nationals in Russia for ransomware activities appear to be more symbolic than a true crackdown on this type of activity. This is because there are several dozen Russian-speaking ransomware gangs that continue to operate, as well as a plethora of other types of cybercrime in the Russian-speaking underground.

Outlook

In 2024, there was lots of significant action by law enforcement to shake up the ransomware economy. One of the main successes of the notable Operation Cronos action taken against LockBit was the sowing of distrust and disharmony in the ransomware ecosystem. Despite the admins of LockBit trying to recover, their reputation and army of affiliates have been smashed.

Many of Russian law enforcement activities could all be related to the costs of the Russian invasion of Ukraine. Russian authorities seizing funds of the illicit cryptocurrency exchanges could be to pay for the war in Ukraine and they could be recruiting arresting cybercriminals for offensive cyber operations related to the war in Ukraine. The true motivations of Russian law enforcement arresting these specific ransomware operators but allowing others to operate are unclear. The cybercriminals could also simply have not paid their protection money or lack connections in the FSB like Evil Corp has.

Due to the fall of LockBit and ALPHV/BlackCat in 2024, there has been a rise of other ransomware groups like RansomHub and Akira to fill the vacuum. However, the rate of attacks by these emerging groups is still noticeably lower than when LockBit was operating at full force. This should be perceived as a success for law enforcement operations in 2024 due to the overall number of ransomware attacks lowering, which we should all be thankful for.

Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

-
Image
Logo credit: RedCanary Ever since it first appeared in late 2021, the Raspberry Robin malware campaign has been propagating globally. A number of threat intelligence reports by vendors such as RedCanary (who named it) and Microsoft (who track it as DEV-0856/Storm-0856) have covered the malware campaign in great detail.  In fact, the list of blogs I do recommend to read to catch up on this threat are as follows: https://redcanary.com/blog/raspberry-robin https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity https://blog.sekoia.io/raspberry-robins-botnet-second-life/ https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/ https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/ https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-sprea...
Read more

Lessons from the iSOON Leaks

-
Image
  Introduction A Chinese Ministry of Public Security (MPS) contractor called  iSOON (also known as Anxun Information) that  specializes in network penetration research and related services has had its data leaked to GitHub. Based on the level of detail, leaked chat logs, amount of data, and corroboration from overlaps indicators of compromise (IOCs), there is a high level of confidence it is legit. Preliminary findings from less than one week since the leak revealed that it contains unprecedented insights into how the Chinese MPS operates by using Chinese commercial surveillance vendors and what their technical capabilities are. The Chinese MPS is China’s internal security service that primarily focuses on  internal and border security, counter-terrorism, surveillance. The MPS is comparable to the  Russian FSB, the US DHS or the UK’s MI5. The most interesting findings have come from iSOON’s product whitepapers and confidential slide deck presentations given to t...
Read more

The Ransomware Tool Matrix

-
Image
Introduction Ransomware attacks are becoming increasingly damaging, but one thing remains consistent: the tools these cybercriminals rely on. The Ransomware Tool Matrix is a comprehensive resource that sheds light on the tactics, techniques, and procedures (TTPs) commonly used by ransomware and extortionist gangs. This repository provides defenders with actionable intelligence on the tools frequently leveraged by adversaries, thanks to the insights shared publicly by the US Cybersecurity and Infrastructure Security Agency (CISA)'s #StopRansomware advisories and The DFIR Report's publications, among others. This repository offers straightforward insights from compiled open source intelligence (OSINT) research that can be directly applied to threat hunting, detection engineering, and incident response operations. Project Background As defenders, we can turn the tables by exploiting a crucial flaw committed by ransomware gangs: tool reuse. Many ransomware gangs repeatedly rely on ...
Read more