ransomware

US charges Russian-Israeli citizen over Lockbit ransomware

The United States has charged Rostislav Panev, a Russian-Israeli dual citizen, for his alleged role as a developer for the Lockbit ransomware group, which authorities describe as one of the world’s most destructive cybercrime operations. Panev, arrested in Israel in August, awaits extradition.

Lockbit, active since 2019, targeted over 2,500 victims across 120 countries, including critical infrastructure and businesses, extorting $500 million. Recent arrests, guilty pleas, and international law enforcement efforts have significantly disrupted the group’s activities.

Experts say law enforcement actions have tarnished Lockbit’s reputation, reducing its attacks and deterring affiliates. Authorities emphasise the importance of holding cybercriminals accountable.

Global fight against ransomware: collaboration is the key to resilience

Diplo is actively reporting from the 2024 Internet Governance Forum (IGF) in Riyadh, while the forum’s day one is still, and another essential panel of international experts shed light on the relentless rise of ransomware attacks and the global efforts to counter this growing cyber threat. Moderated by Jennifer Bachus of the US State Department, the session featured cybersecurity leaders Elizabeth Vish, Daniel Onyanyai, and Nils Steinhoff, who highlighted the scale of the crisis and the collaborative response through the Counter Ransomware Initiative (CRI).

Ransomware, described as ‘cybercrime as a service,’ has evolved from simple data encryption to complex extortion schemes targeting critical infrastructure worldwide. ‘Emerging markets are now increasingly in the crosshairs,’ noted Elizabeth Vish, pointing to growing vulnerabilities in developing economies that lack robust cybersecurity resources. With over $1.1 billion in crypto payments extracted by attackers in 2023 alone, ransomware continues to prove profitable, its impacts often crippling public services like hospitals and government institutions.

Established in 2021, the CRI is a coalition of nearly 70 nations dedicated to building collective cyber resilience. Operating under four pillars—policy development, capacity development, public-private partnerships, and the International Counter-Ransomware Task Force—the CRI offers platforms for real-time threat sharing, technical support, and global cooperation. Onyanyai emphasised the initiative’s mentorship model: ‘Advanced nations can guide less-prepared countries, ensuring no one faces this threat alone.’

Public-private cooperation emerged as a cornerstone of the fight. Vish stressed that private companies, often the first to detect attacks, ‘own critical infrastructure and can contribute threat intelligence and resilience strategies.’ Additionally, the role of cyber insurance was discussed as a tool for incentivising better cybersecurity hygiene while facilitating incident recovery.

The panellists underscored the need for collective preparation, emphasising proactive measures like multi-factor authentication and data backups. Vish coined the mantra: ‘Prepare, don’t pay.’ While CRI officially advocates a ‘no ransom’ stance, some countries still grapple with policies on payments.

The session concluded with a stark reminder: no country is immune to ransomware. Whether through emerging AI capabilities or evolving tactics, ransomware remains a persistent, global threat. As Jennifer Bachus aptly summarised: ‘Only through cooperation, capacity building, and resilience will we turn the tide against these cybercriminals.

All transcripts from the Internet Governance Forum sessions can be found on dig.watch.

SEC and ICBC unit reach settlement after ransomware attack

The SEC has settled allegations against ICBC Financial Services, a US-based unit of the Industrial and Commercial Bank of China, following a ransomware attack in November 2023.

The attack disrupted the company’s operations, including its ability to maintain accurate records and notify customers of securities-related transactions for nearly four months.

Regulators cited the firm’s lack of preparation for a significant cybersecurity incident as a factor leading to the breach. Despite this, the SEC refrained from imposing a civil fine, crediting the company’s meaningful cooperation and extensive remedial efforts in addressing the situation.

ICBC Financial Services neither admitted nor denied any wrongdoing in the settlement. The agreement highlights the SEC’s focus on ensuring firms take proactive steps to strengthen their cybersecurity defences.

Russia arrests ransomware affiliate and alleged member of multiple hacking groups

Russian authorities have arrested and indicted Mikhail Pavlovich Matveev, a suspected ransomware affiliate accused of developing malware and collaborating with multiple hacking groups.

While the prosecutor’s office has not disclosed the suspect’s identity, court documents describe him as a ‘programmer.’ According to the Russian Ministry of Internal Affairs, sufficient evidence has been gathered, and the case has been referred to the Central District Court of Kaliningrad. Matveev is accused of creating ‘specialised malicious software’ designed to encrypt data from commercial organisations, demanding ransoms for decryption.

Matveev’s alleged criminal history extends beyond Russia. In May 2023, the US Department of Justice charged him for his involvement with the Hive and LockBit ransomware operations, which targeted victims across the United States. He is also suspected of playing a foundational role in the Babuk ransomware group and operating as ‘Orange,’ the creator of the Ramp hacking forum.

Ransomware disrupts Starbucks scheduling system

Starbucks is manually processing barista payroll after a ransomware attack disrupted the third-party software it uses for scheduling. Despite the outage, the company assured employees they would be paid correctly and instructed store managers on manual workarounds to keep operations running smoothly.

The attack targeted Blue Yonder, a cloud services provider whose clients include major grocery chains and Fortune 500 companies. Blue Yonder has faced backlash as its systems remain compromised, with multiple companies, including Ford, assessing potential impacts. The cybersecurity firm CrowdStrike is assisting with recovery efforts.

Ransomware attacks have surged globally, with hackers targeting critical operations, especially during high-demand periods like the holiday season. Starbucks’ new CEO Brian Niccol now faces an additional hurdle on top of three straight quarters of declining sales.

Four REvil ransomware members sentenced to over four years in prison

Four members of the REvil ransomware gang were sentenced to prison in Russia for hacking and money laundering. Artem Zayets received 4.5 years, Alexey Malozemov got 5 years, while Daniil Puzyrevsky and Ruslan Khansvyarov were sentenced to 5.5 and 6 years, respectively. Puzyrevsky, considered the leader, may face additional fines.

The St Petersburg Garrison Military Court’s decisions followed arrests of 14 individuals in early 2022, based on US tips, with authorities seizing over 426 million rubles (about $4.38 million), $600,000, and €500,000 in cash, along with cryptocurrency and luxury vehicles. The gang was linked to significant breaches at companies like JBS and Kaseya before disbanding in 2021.

REvil (Ransomware Evil) is ransomware that emerged around 2019. It is known for its sophisticated attacks and targeted operations against various organisations worldwide. It has been allegedly involved in several high-profile cases at the Colonial Pipeline in May 2021, which led to the shutdown of the largest fuel pipeline in the US, causing fuel shortages and panic buying. The company paid approximately $4.4 million in ransom.

Russia opens criminal case against Cryptex founders

Russian authorities have initiated a criminal investigation against the founders of UAPS and Cryptex, accusing them of generating over $40 million in illegal profits. It follows allegations of running unlicensed banking operations, unauthorised access to protected information, and creating a payment infrastructure that supported cybercriminal activities. The probe is being led by Moscow’s Investigative Committee.

UAPS, established in 2013, and Cryptex, launched in 2018, were primarily used by criminals for illegal currency exchanges and money laundering. In 2023 alone, the network saw more than $1.2 billion in illicit transactions. Russian law enforcement conducted 148 raids across 14 regions, detaining 96 suspects, many of whom face charges of organised crime and illegal banking.

The investigation comes just days after OFAC sanctioned Cryptex and its founder, Sergey Ivanov, accusing them of laundering funds linked to ransomware attacks and darknet markets. US authorities have labelled Ivanov’s other exchange, PM2BTC, as a major money laundering concern.

Binance founder completes four-month prison sentence for money laundering

Changpeng Zhao, founder of Binance, was released from a correctional facility in California on Friday. Zhao had been sentenced to four months earlier this year after admitting to money laundering violations at Binance, the world’s largest cryptocurrency exchange.

Prosecutors accused Binance of enabling criminal activity by failing to report over 100,000 suspicious transactions, including those linked to terrorist groups such as Hamas, al-Qaeda, and ISIS. The platform was also said to have facilitated the sale of child sexual abuse materials and received funds from ransomware activities.

In a settlement with US authorities, Binance agreed to pay a $4.32 billion penalty, while Zhao was personally fined $100 million. It includes a $50 million fine to the Commodity Futures Trading Commission, alongside the criminal penalties.

German authorities shut down 47 cryptocurrency exchanges in major anti-money laundering operation

German authorities have shut down 47 cryptocurrency exchange services in a major crackdown on illegal money laundering. The Federal Criminal Police Office (BKA) and the Central Office for Combating Internet Crime led the operation, targeting platforms that allowed users to exchange conventional currencies and cryptocurrencies without verifying their identities. These services bypassed the ‘know-your-customer’ (KYC) rules, enabling users to trade cryptocurrencies like Bitcoin and Ethereum quickly and anonymously.

Criminals reportedly used these exchanges to conceal the origins of illicit funds, often obtained through dark web drug sales or ransomware attacks. As part of the operation on 20 August, authorities confiscated 13 crypto ATMs and seized nearly $28 million in cash from 35 locations across Germany. Financial watchdog BaFin led the raids, targeting machines operating without the necessary licences, which posed significant money laundering risks.

The closure of these exchanges is part of a wider effort to disrupt cybercrime networks. Investigators managed to secure vital user and transaction data, which could assist in future money-laundering investigations. It follows earlier German crackdowns, including the seizure of ChipMixer, a platform involved in laundering €90 million in crypto.

Record $75 million ransom paid to hackers

An undisclosed victim paid $75 million to the Dark Angels ransomware group, setting a record for the largest ransomware payout. Zscaler, a cloud security firm, discovered the payment early in 2024 but did not name the affected organisation. The unprecedented payout is expected to attract other attackers aiming to replicate the Dark Angels’ success.

Zscaler reported an 18% increase in ransomware attacks from April 2023 to April 2024, with manufacturing, healthcare, and technology sectors being the most targeted. The rise in ransomware-as-a-service models, zero-day attacks, vishing, and AI-powered attacks has contributed to record-breaking ransom payments. The energy sector experienced a 500% increase in attacks, making it a prime target for cybercriminals.

The United States remains the top target for ransomware attacks, accounting for nearly half of all incidents. The Dark Angels group, which emerged in May 2022, is notable for targeting high-value healthcare, government, finance, and education companies. Their highest-profile attack in September 2023 involved stealing over 27TB of data from an international conglomerate and demanding a $51 million ransom. Zscaler warns that the success of Dark Angels may inspire similar tactics from other ransomware groups.