Surprise! They’re in Russia
Image:
The individuals are unlikely to be jailed unless they leave Russia, but their proceeds are being seized
Law enforcement agencies have named the leaders of two prominent malware families and are taking their operations down.
The US Department of Justice has unsealed indictments against the suspected leaders of the Qakbot and DanaBot malware families, respectively two and three years after first filing them.
All of the accused reside in Russia, which is unlikely to deport suspected cybercriminals.
The first case is against Rustam Rafailevich Gallyamov, 48, who lives in Moscow. He is accused of leading the Qakbot cybercrime ring, which law enforcement agencies took down in 2023.
Qakbot was a ransomware-as-a-service operation used by gangs including Conti, Ryuk and Black Basta. Traces were found on more than 700,000 machines worldwide.
A federal grand jury has charged Gallyamov with one count of conspiracy to commit computer fraud and abuse, and one count of conspiracy to commit wire fraud.
The indictment (courtesy of The Register) says Gallyamov developed, deployed, and controlled Qakbot starting in 2008, and continued even after the well-publicised 2023 takedown – though he and his team changed their tactics to find new victims.
However, a joint operation by Germany’s Bundeskriminalamt (BKA), the Netherlands’ National Police, the French Police Cybercrime Central Bureau, Europol and the FBI succeeded in seizing illicit proceeds last month, including more than 30 Bitcoin (about $3.3 million) and $700,000 in Tether tokens, as part of Operation Endgame II.
Gallyamov remains at large inside Russia.
DanaBot going down
The Justice Department has also unveiled indictments, first filed in 2022, against 15 individuals said to be associated with the DanaBot malware family, which infected more than 300,000 computers.
The people named are Aleksandr Stepanov, Danil Khalitov, Aleksey Efremov, Kamil Szturgulewski, Ibrahim Idowu, Artem Shubin and Aleksey Khudyakov, plus their online aliases; and eight individuals listed only as ‘FNU LNU’ (First Name Unknown, Last Name Unknown), each with a separate online handle.
The suspects are alleged to be heads, developers, administrators and other stakeholders in the DanaBot operation.
DanaBot has two variants: one malware-as-a-service, with packages costing between $1,000 and $4,000 a month (the ‘Criminal Variant’); and the other focused on data exfiltration (the ‘Espionage Variant’). Criminals used the former to target commercial organisations worldwide, such as banks, while the latter was largely deployed against military, diplomatic and government entities.
Separate servers ensured the data exfiltrated by the Espionage Variant was stored in Russia.
Threat research manager John Hopkins, who worked on the US government’s DanaBot investigation, told The Register that the operators were probably working with the Russian government:
“The clue is in where the actors are based, and the way that the criminal and political world is intertwined in Russia.
“You know that they’re operating under the graces of the government and then probably under the watchful gaze of the intelligence agencies there. And what better way to do a more targeted espionage campaign than try and cover it up as if it’s just criminality?”
Like the work against Qakbot, the action against DanaBot is part of Operation Endgame II, and law enforcement is in the process of taking down the malware’s workings.
From a high of more than 30 DanaBot servers active “on any particular day,” Hopkins says it has now fallen to two.
Click Here For The Original Source.
