In an operation spanning multiple years, and multiple jurisdictions, one of the worlds most wanted cyber criminals has finally been taken to the US to face justice for crimes committed that stretch back to 2011.
Maksim Silnikau – a 38 year old Belarusian was caught in a raid on his apartment in Spain last year. Since then, he has been in prison in Poland awaiting extradition to the US to face numerous charges of criminal activity including:
- 1 count of conspiracy to commit offences to the Unites States
- 2 counts of wire fraud
- 1 count of conspiracy to commit wire fraud
- 1 count of conspiracy to commit Access Device Fraud
- 2 counts of aggravated identity theft
- 1 count of conspiracy to commit computer fraud and abuse
The charges have been revealed in 2 documents unsealed by the US Department of Justice:
Silnikau, also known as Maksym Silnikov, used the online names J.P.Morgan, XXX, and Lansky to operate the worlds first Ransomware-as-a-Service (RaaS) platform responsible for the development and distribution of multiple ransomware strains, and exploit kits allowing criminals to extort tens of millions from victims worldwide.
Malware activities
Silnikau developed the Reveton ransomware which, on infection of a victim device locks the user out of the system and displays a screen that appears to be from a law enforcement agency.
The malware attempts to scare its victims by displaying a notice that claims that the user has committed a crime—usually downloading or using pirated software or keeping child pornography on the user’s computer.
Reveton is also able take over victims’ webcams and scare victims into believing that they are being recorded by the police.
In July 2013 an updated version of Reveton began targeting OSX Mac users which used JavaScript to load numerous iframes requiring victims to close each one.
Messages in the pop-ups informed users that they had violated various laws and that their computer had been locked because of this. The messages also stated that, to unlock the computer and to avoid legal issues, victims must pay a $300 fine via a prepaid money card.
Attempts to close the warning page resulted in additional messages that reappeared each time victims tried to close their web browsers.
Is is alleged that malware resulted in approximately $400,000 being extorted from victims every month between 2012 and 2014.
In 2014 Reveton began using a password stealer called Pony Stealer which allowed attackers the ability to steal passwords from various crypto-currency wallets. Pony Stealer can decrypt or unlock passwords for multiple services including FTP, VPN, email, web browsers and instant messaging programs, allowing the program to use infected PCs as botnet clients.
In 2021, Silnikau launched the Ransom Cartel – a malware which performs double extortion attacks and exhibited several similarities and technical overlaps with REvil ransomware.
REvil ransomware disappeared a few months before Ransom Cartel surfaced and just one month after 14 of its alleged members were arrested in Russia. When Ransom Cartel first appeared, it was unclear whether it was a rebrand of REvil or an unrelated threat actor who reused or mimicked REvil ransomware code.
One of the exploit kits pushed by Silnikau was the Angler Exploit Kit, which used vulnerabilities in Internet Explorer, Microsoft Silverlight, Adobe Flash Player, Adobe Reader, and Java.
Angler also used the ActiveX XLMDOM vulnerability (CVE-2013-7331) to fingerprint systems in an attempt to detect virtual machines, sandboxes, and security tools that indicate the presence of a security researcher and not a genuine end user.
Angler also utilized a Diffie-Hellman encryption key exchange to make each attack unique to a particular victim and to thwart attempts at replaying packet captures to forensically examine its activities.
