Here’s a cybercrime conspiracy story with a difference.
When we write about network-wide ransomware attacks where a whole company is blackmailed in one go, two burning questions immediately come up:
- How much money did the crooks demand?
- Did the victim pay up?
The answers vary, but as you have probably read here on Naked Security, modern ransomware criminals often use a two-pronged extortion technique in an attempt to maximise their asking price.
First, the crooks steal a trove of company files that they threaten to make public or to sell on to other crooks; then they scramble the data files on all the company’s computers in order to bring business to a halt.
Pay up the blackmail money, say the crooks, and they will not only “guarantee” that the stolen data will never be passed on to anyone else, but also provide a decryption program to reconstitute all the scrambled files so that business operations can resume.
Recent reports include an attack on fitness tracking company Garmin, which was allegedly blackmailed for $10m and did pay up, though apparently after wangling the amount down into the “multi-million” range; and on business travel company CWT, which faced a similar seven-figure demand and ended up handing over $4.5m to the criminals to get its business back on the rails.
In contrast, legal firm Grubman Shire Meiselas & Sacks faced a whopping $42m ransomware extortion demand but faced it down, likening the crooks to terrorists and refusing to pay a penny.
More recently, US liquor giant Brown-Forman took a similar stance, refusing to deal with criminals after its network was infiltrated.
The third question
Of course, there’s a third question, one that isn’t quite as dramatic as “How much?”, but that is way more important:
- How did the crooks get in to start with?
There are lots of possible answers to that one, including: by using exploits against unpatched software bugs; by sending infected attachments in phishing emails; by luring employees to fake login pages to steal passwords; by using existing malware in the network to download and deploy the ransomware program; by finding unprotected remote access portals such as RDP or SSH…
…or by getting insider help.
And that’s what happened – or so the US Department of Justice (DOJ) alleges – in a recent cybercrime misadventure in Reno, Nevada.
According to federal criminal charges filed this week, the DOJ claims that a certain Egor Igorevich Kriuchkov of Russia not only planned a malware attack against a US company, but also travelled in person to America to negotiate with an employee of the company to implant the malware and thus initiate the attack.
Old meets new
In a fascinating mix of old-school face-to-face techniques and new-wave cybercriminality, Kriuchkov, who is 27 years old, is alleged to have set up a meeting via WhatsApp, then travelled to San Fransisco and driven on to Reno in Nevada to talk to an unnamed employee of his planned victim company to propose a “special project”.
Acting on behalf of unnamed co-conspirators, presumably safely back in Russia where (if they are Russian citizens) they have constitutional protection against extradition, Kruichkov is supposed to have dangled a million-dollar carrot in front of the insider in return for them helping to perpetrate the crime.
The court filing claims that the insider would have been expected to provide information relevant in tailoring the attack to the victim’s network, and then to connect up and run the malware to infect the network.
In return, Kriuchkov promised the insider a cool $1,000,000.
No details are given in the affidavit about what network intelligence the insider was expected to come up with, but you can probably imagine lots of details that would be valuable to attackers, including: lists of computer and server names; network diagrams including internal IP numbering, firewall setup and VLAN configuration; any security software installed; usernames and working hours; IT staff and shift patterns; and much more.
Apparently, while the malware was being unleashed from inside the network, Kruichkov – presumably back in Russia at this point – and his co-conspirators were planning to launch a “decoy” attack from outside, thus distracting the company’s IT team from the more serious problem unfolding internally.
The charge sheet doesn’t make any mention of file scrambling in the plans, claming merely that:
The co-conspirators would engage in a Distributed Denial of Service Attack to divert attention from the malware.
The malware would allow the conspirators to extract data from Victim Company A’s network.
Once the data was extracted, the conspirators would extort Victim Company A for a substantial payment.
The conspiracy comes unstuck
Whatever Kruichkov was after, things didn’t work out.
The insider contacted the authorities, and the authories, it seems, tried to contact Kruichkov.
According to the FBI, Kruichkov then drove 800km from Reno to Los Angeles overnight, presumably in the hope of flying directly out of the USA before the net closed in.
But he didn’t make it, and was arrested in Los Angeles.
What to do?
We’re assuming – if these allegations turn out to be well-founded – that the crooks would have included a file-scrambling component in their extortion malware, just because they could, and because it would almost certainly have made a bad thing worse if it worked.
But it’s important to note that this conspiracy seems to have existed on the basis of being able to extort money from the victim through stolen data alone.
In other words, cyberextortion crimes involving ransomware no longer need to rely on what would be the very last part of a traditional attack.
Cybercriminals seem to be confident there are millions to be made even if they fail at (or don’t bother with) that final file-scrambling step.
So, as we’ve said many times before, prevention is way better than cure; and earlier prevention is better yet.
We’ve often advised you to set up a single point of cybersecurity contact for all your staff, whether by phone or email, with the aim of turning everyone in the company into the eyes and ears of your IT security team.
In this case, a timely warning not only headed off the attack but also led to the arrest of a suspect.
LEARN MORE: 3 TIPS TO STOP OUTSIDERS GETTING IN
Here are three tips to help your company be more proactive against outsiders trying to wangle their way in. (When you press play the video should play from the 11’15” mark, where the tips begin.)
3 comments on “Russian cybercrime suspect arrested in $1m ransomware conspiracy”
In the biggest travesty of all here, we see the distance from Reno to LA measured in km.
…apologies in advance to Nathan Poe.
Amusingly, in 1959, six countries that all used Imperial weights and measures at the time (although for one of them the units were “customary” rather than “imperial” for reasons dating back to 1776) signed an agreement that officially defined the pound mass and the yard as fixed fractions of the kilogram and the metre respectively. Those countries were UK, CA, AU, NZ, ZA and US.
1 yard is 0.9144 metres *by definition* (which is the same as defining one inch as 25.4 millimetres, which is the fewest number of digits you need to memorise in order to know the ratio exactly).
(1 pound mass is defined as 0.45359237 kilograms. The second is now defined using the behaviour of a caesium nucleus. The metre is defined using the second and the speed of light in a vacuum. The kilogram is defined using the second and the metre. And the bloke didn’t make it to LAX in time. Maybe, being Russian, he saw signs saying “Los Angeles 500” and figured it was only 500km and not 500 miles)
Thank you for using the units which the majority of your readers and the world population is familiar with, even when some minority is not using SI units but sticks to miles and co.