Authorities in Australia, the United Kingdom and the United States this week levied monetary sanctions towards a Russian man accused of stealing information on almost 10 million prospects of the Australian medical insurance large Medibank. 33-year-old Aleksandr Ermakov allegedly stole and leaked the Medibank information whereas working with one in every of Russia’s most harmful ransomware teams, however little extra is shared concerning the accused. Here’s a more in-depth take a look at the actions of Mr. Ermakov’s alleged hacker handles.
The allegations towards Ermakov mark the primary time Australia has sanctioned a cybercriminal. The paperwork launched by the Australian authorities included a number of images of Mr. Ermakov, and it was clear they wished to ship a message that this was private.
It’s not exhausting to see why. The attackers who broke into Medibank in October 2022 stole 9.7 million information on present and former Medibank prospects. When the corporate refused to pay a $10 million ransom demand, the hackers selectively leaked extremely delicate well being information, together with these tied to abortions, HIV and alcohol abuse.
The U.S. authorities says Ermakov and the opposite actors behind the Medibank hack are believed to be linked to the Russia-backed cybercrime gang REvil.
“REvil was among the most notorious cybercrime gangs in the world until July 2021 when they disappeared. REvil is a ransomware-as-a-service (RaaS) operation and generally motivated by financial gain,” a assertion from the U.S. Department of the Treasury reads. “REvil ransomware has been deployed on approximately 175,000 computers worldwide, with at least $200 million paid in ransom.”
The sanctions say Ermakov glided by a number of aliases on Russian cybercrime boards, together with GustaveDore, JimJones, and Blade Runner. A search on the deal with GustaveDore on the cyber intelligence platform Intel 471 reveals this consumer created a ransomware associates program in November 2021 known as Sugar (a.ok.a. Encoded01), which centered on concentrating on single computer systems and end-users as an alternative of firms.
In November 2020, Intel 471 analysts concluded that GustaveDore’s alias JimJones “was using and operating several different ransomware strains, including a private undisclosed strain and one developed by the REvil gang.”
In 2020, GustaveDore marketed on a number of Russian dialogue boards that he was a part of a Russian know-how agency known as Shtazi, which could possibly be employed for laptop programming, internet growth, and “reputation management.” Shtazi’s web site stays in operation right this moment.
The third consequence when one searches for shtazi[.]ru in Google is an Instagram submit from a consumer named Mikhail Borisovich Shefel, who promotes Shtazi’s providers as if it had been additionally his enterprise. If this identify sounds acquainted, it’s as a result of in December 2023 KrebsOnSecurity recognized Mr. Shefel as “Rescator,” the cybercriminal identification tied to tens of tens of millions of fee playing cards that had been stolen in 2013 and 2014 from massive field retailers Target and Home Depot, amongst others.
How shut was the connection between GustaveDore and Mr. Shefel? The Treasury Department’s sanctions web page says Ermakov used the e-mail handle ae.ermak@yandex.ru. A seek for this e-mail at DomainTools.com reveals it was used to register only one area identify: millioner1[.]com. DomainTools additional finds {that a} cellphone quantity tied to Mr. Shefel (79856696666) was used to register two domains: millioner[.]pw, and shtazi[.]internet.
The December 2023 story right here that outed Mr. Shefel as Rescator famous that Shefel just lately modified his final identify to “Lenin,” and had launched a service known as Lenin[.]biz that sells bodily USSR-era Ruble notes that bear the picture of Vladimir Lenin, the founding father of the Soviet Union. The Instagram account for Mr. Shefel contains pictures of stacked USSR-era Ruble notes, in addition to a number of hyperlinks to Shtazi.
Intel 471’s analysis revealed Ermakov was affiliated not directly with REvil as a result of the stolen Medibank information was printed on a weblog that had one time been managed by REvil associates who carried out assaults and paid an affiliate price to the gang.
But by the point of the Medibank hack, the REvil group had principally scattered after a collection of high-profile assaults led to the group being disrupted by legislation enforcement. In November 2021, Europol introduced it arrested seven REvil associates who collectively made greater than $230 million value of ransom calls for since 2019. At the identical time, U.S. authorities unsealed two indictments towards a pair of accused REvil cybercriminals.
“The posting of Medibank’s data on that blog, however, indicated a connection with that group, although the connection wasn’t clear at the time,” Intel 471 wrote. “This makes sense in retrospect, as Ermakov’s group had also been a REvil affiliate.”
It is simple to dismiss sanctions like these as ineffective, as a result of so long as Mr. Ermakov stays in Russia he has little to concern of arrest. However, his alleged position as an obvious high member of REvil paints a goal on him as somebody who seemingly possesses giant sums of cryptocurrency, mentioned Patrick Gray, the Australian co-host and founding father of the safety information podcast Risky Business.
“I’ve seen a few people poo-poohing the sanctions…but the sanctions component is actually less important than the doxing component,” Gray mentioned. “Because this guy’s life just got a lot more complicated. He’s probably going to have to pay some bribes to stay out of trouble. Every single criminal in Russia now knows he is a vulnerable 33 year old with an absolute ton of bitcoin. So this is not a happy time for him.”