Ransom Cartel, Reveton ransomware owner arrested, charged in US

Belarusian-Ukrainian national Maksim Silnikau was arrested in Spain and is now extradited to the USA to face charges for creating the Ransom Cartel ransomware operation in 2021 and running a malvertising operation from 2013 to 2022.

The threat actor operated under the aliases "J.P. Morgan," "xxx," and "lansky" on Russian-speaking hacking forums, where he allegedly promoted the cybercrime operations.

The authorities unsealed two separate indictments: one for the District of New Jersey regarding the malvertising operation and one for the Eastern District of Virginia regarding the Ransom Cartel operation.

Co-conspirators Volodymyr Kadariya, a Belarussian and Ukrainian national, 38, and Andrei Tarasov, a Russian national, 33, were also charged for their role in the malvertising operation.

"These conspirators are alleged to have operated a multiyear scheme to distribute malware onto the computers of millions of unsuspecting internet users around the globe," said US Attorney Philip R. Sellinger for the District of New Jersey. "To carry out the scheme, they used malicious advertising, or 'malvertising', to trick victims into clicking on legitimate-seeming internet ads."

The UK's National Crime Agency announced today that Silnikau was arrested in Spain on July 18, 2023.

An international operation coordinated by the NCA has resulted in the arrest and extradition of a man believed to be one of the world's most prolific Russian-speaking cybercrime actors.

An international operation coordinated by the NCA has resulted in the arrest and extradition of a man believed to be one of the world’s most prolific Russian-speaking cybercrime actors. FULL STORY https://t.co/kgPdMAwqPZ pic.twitter.com/MVjRLco55R

— National Crime Agency (NCA) (@NCA_UK) August 13, 2024

The Ransom Cartel operation

Ransom Cartel is a ransomware operation that launched in December 2021, sharing extensive code similarities with the REvil family.

The lack of strong obfuscation prompted analysts to assume that it was the creation of a core member who was missing the obfuscation engine found in REvil rather than a reboot/rebrand from the same team of cyber criminals.

According to the indictment, Silnikau created and administrated Ransom Cartel, managing the "ransomware-as-a-service" operation and recruiting other cybercriminals from Russian-speaking forums to participate in attacks.

He also negotiated with "initial access brokers" (IABs) who provided access to compromised corporate networks, managed communications with victims, and handled ransom payments.

Silnikau also transferred ransom payments through cryptocurrency mixers to obscure the money trail and complicate law enforcement efforts, clearly holding a central role in the operation.

Reveton ransomware

The NCA also states that Silnikau was behind the notorious Reveton trojan, a Windows malware that locked users out of the operating system until a ransom was paid.

The malware launched in 2011 and pretended to be law enforcement locking a computer due to the detection of child pornography and copyrighted material.

To gain access to the computer, victims were required to send a ransom via MoneyPak, PaySafeCard, or other online payments.

The malware predominantly impersonated law enforcement agencies from the United Kingdom and the USA.

Between 2012 and 2014, Reveton was sold to other cybercriminals who heavily distributed it through sites compromised with exploit kits.

The NCA reports that the Reveton operation generated $400,000 between 2011 and 2013.

The operation's success also spurred other cybercriminals to launch similar lockers, such as the Urausy and Harasom Ransomware families, which were, in many cases, indistinguishable from Reveton.

Malvertising operation

The defendant is also suspected of orchestrating and executing a large-scale malvertising scheme from October 2013 to March 2022.

His primary responsibilities included developing and distributing malicious advertisements that appeared legitimate but redirected users to sites containing Internet Explorer exploit kits, malware, scareware, and online scams.

Specifically, the operation distributed the following:

• Angler Exploit Kit (AEK): Designed to exploit flaws in web browsers and plugins to deliver additional payloads on the compromised devices.
• Locker malware: A kind of ‘lite’ ransomware tool that prevents the victim from accessing their data, often demanding a payment to restore access.
• Scareware: Deception tools that alleged infections on the victims’ computers via forged alerts, prompting them to download harmful software or provide personal information to the cybercriminals.

Silnikau used various online aliases and fake companies to deceive the abused advertising platforms and was directly involved in selling access to devices compromised via this scheme.

Additionally, he collaborated on developing and maintaining technical infrastructure, such as Traffic Distribution Systems (TDSes), to manage and target their malicious campaigns more effectively.

Maksim Silnikau faces significant legal consequences based on the charges in both indictments, including imprisonment sentences for wire fraud, computer fraud, computer fraud and abuse, aggravated identity theft, and access device fraud.

Silnikau could potentially face a sentence exceeding 100 years in prison if convicted on all charges, though the sentencing time is typically much shorter due to the sentences being served concurrently.