33-Year-Old Foreign National Accused of Spreading Ryuk and Other Ransomware
A suspected initial access specialist for a ransomware-wielding group is being extradited from Ukraine to the United States to stand trial.
See Also: SASE and Zero Trust: The Backbone of Integrated Security (eBook)
Ukrainian police accused the 33-year-old man of finding vulnerabilities in corporate networks to gain initial access, to facilitate the group exploiting the target using various strains of ransomware.
Authorities haven’t named the suspect, but did say he’s not a Ukrainian national. The U.S. Department of Justice didn’t immediately respond to a request for comment.
Police arrested the man in April in Kyiv, where he was residing, after the FBI put him on an international watch list. Authorities said the suspect was transferred to U.S. custody on Wednesday, following the District Court of Kyiv approving his extradition.
The Prosecutor General’s Office of Ukraine said the suspect was arrested based on U.S. charges accusing him of being “a member of an organized criminal group involved in the spread of the Ryuk ransomware,” among other types of malware, according to a machine translation.
The ransomware-wielding criminal group has been accused of perpetrating over 2,400 attacks against organizations in more than 70 countries, and receiving ransom payments – in return for a promise to decrypt forcibly encrypted data – that exceeded $100 million.
Ukrainian police said the suspect was identified thanks to information seized in late 2023 as part of an ongoing, international police operation targeting a Ukrainian crime group that wielded multiple ransomware strains.
Ukrainian police have accused the ransomware-wielding group of attacking some of world’s biggest companies, including in 2019 Norwegian aluminum giant Norsk Hydro, as well as the Dutch arm of a U.S.-based chemical company, which reportedly paid a ransom of 450 Bitcoins, then worth $1.3 million.
As part of the same law enforcement investigation, Ukrainian police in November 2023 said they arrested “the 32-year-old leader of the hacker group and his four most active accomplices,” with the assistance of law enforcement agencies in the United States, Norway, the Netherlands, Germany and France (see: Police Bust Suspected Ransomware Group Ringleader in Ukraine).
Europol, the EU’s law enforcement intelligence agency, which is helping to coordinate the operation, accused the group of wielding such strains of crypto-locking malware as Dharma, Hive, LockerGoga and MegaCortex – among others – to attack victims.
As part of that crackdown, law enforcement agents conducted more than 80 searches across Ukraine, seized cryptocurrency assets worth more than half a million dollars, as well as nine luxury cars and 24 plots of land with a total area of nearly 30 acres.
Those searches, seizures and the arrest of the five suspects built in part on digital forensic evidence gathered from a first round of arrests in October 2021, when police detained 12 “high-value targets” in both Ukraine and Switzerland.
Some of the suspected hackers allegedly dealt with initial access to networks, including through brute-force attacks, SQL injections, stolen credentials and phishing emails with malicious attachments. “Once on the network, some of these cyber actors would focus on moving laterally, deploying malware such as TrickBot, or post-exploitation frameworks such as Cobalt Strike or PowerShell Empire, to stay undetected and gain further access,” Europol said at the time.
Investigators had not previously accused the group of working as affiliates of Ryuk, which was a major ransomware-as-a-service operation.
Ryuk first emerged around the middle of 2018, before rebranding as Conti around May 2020, and appearing to merge with TrickBot by the end of 2021, said TRM Labs. The group relied on droppers such as TrickBot to help spread its malware.
The Conti operation appears to have disbanded in 2022, after its operators’ disastrous decision to publicly back President Vladimir Putin’s war of conquest against Ukraine, which lead to its ransom payments drying up. Before disappearing, Conti spawned multiple spinoffs, including Akira, Black Basta, Hive and Royal (see: Ransomware Leak Sites Suggest Attacks Reached Record High).
