COVID-19 , Cryptocurrency Fraud , Cybercrime

Russian National Charged With Laundering Ryuk Ransoms

Denis Dubnikov Charged With Receiving Ransomware Proceeds, Faces Extradition to US
Russian National Charged With Laundering Ryuk Ransoms
Ryuk ransom note (Sources: Coveware, Malwarebytes)

The U.S. Department of Justice is seeking to extradite from the Netherlands a Moscow businessman who allegedly laundered money on behalf of the Ryuk ransomware operation.

See Also: Bank on Seeing More Targeted Attacks on Financial Services

Russian national Denis Dubnikov, 29, was arrested on Nov. 2 by Dutch authorities, after being expelled from Mexico - where he was attempting to vacation - and flown to the Netherlands, says Arkady Bukh, his New York-based attorney.

The U.S. extradition request cites a sealed indictment, filed in August by a grand jury in Portland, Oregon, accusing Dubnikov of receiving $400,000 worth of bitcoins in 2018, from attackers tied to Ryuk, who received the cryptocurrency from victims who paid a ransom, reports The Wall Street Journal, which viewed the extradition request.

Dubnikov has been charged by the U.S. with conspiracy to commit money laundering, Bukh tells the Journal, adding that his client "will be pleading not guilty because he had no knowledge of someone engaging in criminal activity."

Moscow-based legal firm Briefcase, of which Dubnikov is CEO, says that it is tracking the case. As threat intelligence firm Recorded Future's news site The Record reports, it's not clear if the U.S. charges might tie to funds that were moved to the Coyote Crypto or EggChange cryptocurrency exchanges, which Dubnikov founded.

Ryuk's Prevalence for Targeting Healthcare

The alleged amount received by Dubnikov would have been a small fraction of Ryuk's earnings. During 2020, the value of known ransom payments to Ryuk totaled nearly $100 million, blockchain analysis firm Chainalysis has reported.

Source: Chainalysis

In January, two security researchers reported that they'd identified at least $150 million in cryptocurrency profits as having been received by Ryuk from its victims since the group's inception in October 2018. Brian Carter, principal researcher at security firm HYAS, and Vitali Kremez, CEO of Advanced Intelligence, announced those findings after saying they'd identified 61 bitcoin addresses used by Ryuk operators and affiliates.

Attackers have a history of using Ryuk to target critical sectors, including healthcare.

In October 2020, a U.S. government cybersecurity alert warned that attackers wielding Ryuk were posing an "increased and imminent" threat to hospitals and medical facilities.

The attackers who wield Ryuk are part of a group that's been dubbed FIN12 by security researchers. While the group has a history of "prolific ransomware attacks," of even greater concern, says cybersecurity firm Mandiant, is that nearly 20% of known Ryuk victims have been in the healthcare sector, not least during the ongoing COVID-19 pandemic.

For Q3, ransomware incident response firm Coveware says that Ryuk was tied to 2% of the incidents it investigated, placing it in the top 10 ransomware groups for the quarter, based on prevalence. As of July, when a Ryuk victim paid a ransom, on average it paid $692,000, Coveware reports.

White House Moves Against Ransomware

The indictment against Dubnikov is only the latest evidence of the Biden administration's increasing move to blunt the damage being caused by ransomware. Those efforts intensified after the summer, when serious attacks disrupted East Coast fuel provider Colonial Pipeline, meat processing giant JBS, and IT managed software developer Kaseya, among many others.

Working with allied nations, the White House has been attempting to coordinate the disruption and, when possible, the arrest of both ransomware developers and affiliates. These business partners receive a copy of a group's crypto-locking malware, use it to infect victims, and receive a share of any ransom a victim pays.

Last week, police in Europe announced that since February, they have arrested six more suspects accused of working with REvil or its predecessor, GandCrab.

Also last week, the Justice Department announced the arrest of a Ukrainian national in Poland, who's been charged with perpetrating the attack against Kaseya, among other REvil attacks. Yaroslav Vasinskyi, 22, was arrested on Oct. 8 in Poland, and the U.S. is seeking his extradition. The Justice Department also announced that a Russian national has been charged with running multiple REvil attacks, but remains at large.

"Our message to ransomware criminals is clear: If you target victims here, we will target you," Deputy U.S. Attorney General Lisa Monaco said at a press conference last week.

The FBI is now offering rewards of up to $10 million "for information leading to the identification or location of any individual(s) who hold a key leadership position" in either the REvil ransomware operation, aka Sodinokibi, or the DarkSide operation, which rebranded as BlackMatter. In addition the FBI is offering a reward of up to $5 million for information tied to anyone working with those groups, including its affiliates.

The U.S. Treasury Department has also sanctioned two cryptocurrency exchanges for facilitating ransomware.

'Very Simple' Message

The arrest of suspects such as Dubnikov and Vasinskyi sends a "very simple" message to other ransomware groups, says Jason Steer, a security strategist at Recorded Future. Namely: "Facilitate ransomware-as-a-service payments in any form and prepare to be arrested if you go on holiday somewhere with an extradition agreement with the U.S. or the EU."

Many criminals remain cognizant of the challenge that being tied to ransomware may pose to their movements or personal safety, especially if they upset the wrong people, he says.

Earlier this month, for example, Russian language ransomware operation Conti attacked The House of Graff, a London-based jewelry business, and threatened to leak personal information on its customers unless it received a ransom. But The Daily Mail reported that attackers "apologized and retracted very quickly" their threat, vowing to excise any information about customers from Saudi Arabia, UAE or Qatar from the information being exposed, Steer says.

Follow the Money

Prosecutors charging Dubnikov with receiving some of the bitcoins victims paid to Ryuk shows how Western law enforcement agencies continue to refine their ability to track criminal funds, says Alan Woodward, a visiting professor in the computer science department at the University of Surrey.

"Following the money is a tried and tested method of tracking the criminals," he says. "The problem was that cryptocurrencies made that technique difficult. However, with newer tools you can get some idea of where the money has gone and then when combined with other techniques, it can lead you to those who cash out for the criminals or even the money mule networks that are so effective in dispersing the money to prevent tracking."

How the Ryuk gang collects and hides its ill-gotten ransom gains (Source: Advanced Intelligence/HYAS)

But the challenge of disrupting ransomware remains substantial, given the potential profits for practitioners, as well as the relative ease of such attacks - as compared, for example, with physically attempting to rob a bank, Woodward says.

Even so, "the law enforcement agencies have swung their big guns onto the subject," and begun to devote the often substantial amounts of time and effort that it takes to gather evidence, identify suspects and build cases, he says.

"Anyone involved in the supply chain of ransomware is now a target for the law enforcement agencies. Anyone who enables, supports and facilitates these criminals is as important to catch as those firing off the attacks," Woodward says. "The bottom line is that if your ability to run infrastructure to launch the attack or to profit by cashing in the ransoms is removed, then criminals must look elsewhere."


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing ransomware.databreachtoday.com, you agree to our use of cookies.