Article Details

Police arrest creator of Ransom Cartel, Reveton ransomware operations. Belarusian-Ukrainian national Maksim Silnikau was arrested in Spain and extradited to the USA to face charges for creating the Ransom Cartel ransomware operation in 2021 and for running a malvertising operation from 2013 to 2022. The threat actor operated under the aliases "J.P. Morgan," "xxx," and "lansky" on Russian-speaking hacking forum, where he allegedly promoted the cybercrime operations. The authorities unsealed two separate indictments, one on the District of New Jersey concerning the malvertising operation and one on the Eastern District of Virginia for the Ransom Cartel operation. Co-conspirators Volodymyr Kadariya, a Belarussian and Ukrainian national, 38, and Andrei Tarasov, a Russian national, 33, were also charged for their role in the malvertising operation. "An international operation coordinated by the National Crime Agency (NCA) has resulted in the arrest and extradition of a man believed to be one of the world’s most prolific Russian-speaking cybercrime actors," reads a statement from the UK's National Crime Agency. "Silnikau arrestThe NCA has been investigating the online moniker ‘J.P. Morgan’ and his criminal network since 2015, with parallel investigations also being run by the United States Secret Service (USSS) and FBI." "J.P. Morgan and his associates are elite cyber criminals who practiced extreme operational and online security in an effort to avoid law enforcement detection." An international operation coordinated by the NCA has resulted in the arrest and extradition of a man believed to be one of the world’s most prolific Russian-speaking cybercrime actors. FULL STORY https://t.co/kgPdMAwqPZ pic.twitter.com/MVjRLco55R The Ransom Cartel operation Ransom Cartel is a ransomware operation launched in December 2021, with its encryptor featuring extensive code similarities to the REvil family. The lack of strong obfuscation prompted analysts to assume that it was the creation of a core member who was missing the obfuscation engine found in REvil rather than a reboot/rebrand from the same team of cybercriminals. According to the indictment, Silnikau created and administrated Ransom Cartel, managing the "ransomware-as-a-service" operation and recruiting other cybercriminals from Russian-speaking forums to participate in attacks. He also negotiated with "initial access brokers" (IABs) who provided access to compromised corporate networks, managed communications with victims, and handled ransom payments. Silnikau also transferred ransom payments through cryptocurrency mixers to obscure the money trail and complicate law enforcement efforts, clearly holding a central role in the operation. Reveton ransomware The NCA also states that Silnikau was behind the Reveton trojan, a Windows malware that was notorious for locking users out of the operating system until a ransom was paid. The malware launched in 2011 and pretended to be law enforcement locking a computer because child pornography and copyrighted material was detected. To gain access to the computer, victims were required to send a ransom in the form of a MoneyPak, PaySafeCard, or other online payment. Between 2012 and 2014, Reveton, that was sold to various cybercriminals for profit, generated $400,000 daily. Malvertising operation The defendant also played a leading role in orchestrating and executing a large-scale malvertising scheme from October 2013 to March 2022. His primary responsibilities included developing and distributing malicious advertisements that appeared legitimate but redirected users to sites containing malware, scareware, and online scams. Specifically, the operation distributed the following: Silnikau used various online aliases and fake companies to deceive the abused advertising platforms and was directly involved in selling access to devices compromised via this scheme. Additionally, he collaborated on the development and maintenance of technical infrastructure, such as Traffic Distribution Systems (TDSes), to manage and target their malicious campaigns more effectively. Maksim Silnikau is facing serious legal consequences based on the charges in both indictments, including imprisonment sentences for wire fraud, computer fraud, computer fraud and abuse, aggravated identity theft, and access device fraud. If convicted on all charges, Silnikau could potentially face a sentence exceeding 100 years in prison, though the sentencing time is typically much shorter due to the sentences being served concurrently.