How Russian hackers revealed Western sanctions are working
Cybercrime gang Evil Corp was forced to change tactics to extort victims’ cash until it targeted investigators, writes Gareth Corfield
Russian ransomware criminals have unwittingly exposed the effectiveness of global sanctions, after trying to hack the very researchers who unmasked them.
Earlier this month, research by cyber investigators at Virginia-based Mandiant traced exactly how Evil Corp – a Russian-based group of “cyberenabled bank robbers” – tried to hide behind a web of anonymity to evade sanctions and continue to steal from Britain and the US. The group then turned on Mandiant in an attempted data theft.
In a unique twist, their failed efforts highlighted that targeted sanctions might be the elusive key that the Western world needs to defeat ransomware gangs.
Described by Britain’s National Crime Agency (NCA) as causing losses of “hundreds of millions of pounds in the UK alone”, the cybercrime gang’s members have made vast sums by allegedly using malicious software called ransomware to scramble critical computer files belonging to Western banks and financial institutions. They then extort the victims, demanding millions in hard-to-trace cryptocurrency payments in return for unscrambling the files.
This form of online criminality has real-world consequences. Abingdonbased cybersecurity company Sophos says ransomware payments demanded by such gangs average nearly £650,000 apiece, with criminals normally tailoring their demands to the size of the victim. Ransoms in the millions or even tens of millions are not unheard of.
Maksim Yakubets, Evil Corp’s 34-year-old alleged ringleader, even has a $5m (£4m) bounty on his head offered by the US government. Nine accused Evil Corp members, including Yakubets and key lieutenant Igor Turashev, 41, were sanctioned by the US in 2019 and charged with criminal offences carrying decades in prison.
The NCA said the alleged criminal mastermind would be “arrested and extradited” if he “ever leaves the safety of Russia”.
Videos from gang members republished by the NCA show them living large – flaunting bundles of banknotes and even a £150,000 Lamborghini Huracán. Photos and videos showed Yakubets, then in his early 30s, staging his $500,000 (£405,000) wedding at a golf course near Moscow.
The gang’s 16 members openly flaunt their ill-gotten gains in their native Russia, which has prompted questions over whether they operate with the knowledge of officials.
Under 2019 sanctions, companies with US operations are banned from giving funds to Evil Corp. With the gang mainly targeting multinationals, that put Yakubets and his fellow accused criminals in a tricky position: their victims couldn’t pay them for fear of being punished by US law enforcement.
According to Mandiant’s research note: “These developments suggested that the actors faced challenges in receiving ransom payments following their ransomware’s public association with Evil Corp.”
Brett Callow, a threat analyst at anti-ransomware company Emsisoft, says the sanctions mean Us-based companies “cannot legally pay” ransom demands from Evil Corp.
Faced with sanctions, Evil Corp changed its tactics and shed its malicious software in favour of what cybersecurity researchers have dubbed “ransomware-as-a-service” (Raas). Moving to Raas is the equivalent of a bank robber changing his clothes as he makes his getaway.
When criminals create a ransomware program, they leave identifying clues in its code. Some are intentional, such as Evil Corp’s self-awarded name. Others are akin to a poker player’s tells; tiny giveaways that an alert investigator can exploit.
Callow adds: “In the past [Evil Corp] have been cycling through their own brands of ransomware in an attempt to evade sanctions, but now they’re supposedly taking it a step further and acting as affiliates to other ransomware operations.”
In its research, Mandiant had also been looking at a Raas creator called Lockbit, which rents ransomware and takes a cut of the buyer’s gains.
Noting that Lockbit rose to prominence in 2019, the same year as Evil Corp’s members were sanctioned, Mandiant says there were “numerous overlaps” between the two underworld organisations. “We assess with high confidence that [Evil Corp] have shifted away from using exclusive ransomware variants to Lockbit,” said Mandiant in early June.
The implications were clear: Lockbit was operating as an Evil Corp offshoot, in effect, and any US company it hacked was now banned by law from paying ransom in case the money ended up in the hands of sanctioned individuals.
What happened next validated Mandiant’s findings.
Last Tuesday a post appeared on a dark web blog used by Lockbit boasting it had hacked Mandiant itself, promising to publish stolen files unless a ransom was paid.
A note appeared alongside the post: “The fact that someone uses similar tools can not be proof that the attack is done by the same person.
“Our group has nothing to do with Evil Corp. We are real underground darknet hackers, we have nothing to do with politics or special services like FSB, FBI and so on.”
Mandiant says Lockbit did not get hold of anything sensitive.
Instead, it says, Lockbit’s operators are “trying to disprove Mandiant’s June 2 2022 research blog” that made the links between the Raas creator and Evil Corp.
In spite of initial scepticism that the 2019 sanctions would have any bite outside American borders, Evil Corp’s reaction seemed to reveal a key truth: they had worked exactly as intended.
When asked about the effect of sanctions against ransomware criminals, Rob Joyce, the US National Security Agency’s cybersecurity director, said last week that it works to stop the flow of money.
He revealed that the agency has picked up valuable intelligence: “We’ve heard them say that it’s hard to get funds out.”
A UK government spokesman said: “Sanctions are an important part of the UK’S cyber toolbox – and they actively deter and dissuade hostile actors and cyber criminals. UK intelligence and law enforcement organisations work closely with international partners to identify and disrupt illegal cyber activity.”
Evil Corp’s response continued. On a cybercrime forum called Breached, a newly registered account was used last week to offer a reward of $100,000 for “any data exfiltrated from the Mandiant company” as well as for stolen login details for accounts belonging to 11 named researchers.
“We are aware of the Mandiant Rewards programme and have taken steps to protect our employees,” said the company’s Melanie Lombardi.
It is almost certainly too late to recover the millions stolen by Evil Corp. Yet the gang’s lashing out is a fair bet that sanctioning the payment of ransomware criminals is the key to shutting down this modern scourge of business.
‘Evil Corp has caused losses of hundreds of millions of pounds in the UK alone using malicious software’
‘We are real underground darknet hackers, we have nothing to do with politics or special services like FSB, FBI’