Fraud Management & Cybercrime
,
Ransomware
Flurry of Arrests a Potential Prelude to Russia-Ukraine Peace Negotiations
To be a ransomware hacker and Russian historically has been a blissful experience. So long as you avoided targets inside the Kremlin sphere of influence and possibly did the odd job for intelligence agencies, law enforcement mostly left you alone.
See Also: Gartner Report | Break Free From Security Complexity. Platformization Delivers Simplicity.
It’s a long-standing understanding that Russian President Vladimir Putin shows signs of reevaluating as a calculated move ahead of talks with the United States aimed at resolving Russia’s stalemated war of conquest against Ukraine.
Certainly it’s one explanation for the unexpected recent arrest of Mikhail Pavlovich Matveev, aka “Wazawaka” – a man who boasted publicly that as a patriotic Russian hacker, he would remain free when U.S. federal prosecutors in 2022 indicted the prolific hacker for his role in ransomware attacks. Russia has never extradited its citizens to face foreign charges.
To the surprise of many – probably Matveev most of all – Russian police arrested him last November. He later told a threat intelligence Telegram channel that “he has paid two fines and had a significant amount of cryptocurrency confiscated,” and is now “out on bail, unharmed and awaiting the next steps in the legal process.”
Matveev’s arrest suggested Russia was signaling to American observers a new readiness to combat cybercrime, said Dmitry Smilyanets, a product management director for intelligence at Recorded Future, who has interviewed numerous criminal hackers, including Wazawaka. A pledge from Moscow to further crack down on domestic cybercriminals could well be on the table as part of Russia-Ukraine War peace negotiations, he said.
Similarly, an anonymous hacker described Matveev’s arrest to Russian newspaper Gazeta.ru in early December 2024 as being a “diplomatic signal” that “after Donald Trump’s victory in the elections, the Russian and U.S. intelligence services will begin to cooperate more fruitfully in cybercrime,” with Wazawaka being “one of the bargaining chips.”
Matveev’s arrest doesn’t appear to be an outlier. Russian law enforcement in November and December 2024 detained and arrested “hundreds of people” on cybercrime charges, said Yelisey Bohuslavskiy, partner and chief research officer at threat intelligence firm RedSense. This included:
- Oct. 25: Four members of the REvil – aka Sodinokibi – ransomware group sentenced to up to six years in prison for making illegal payments and distributing malware;
- Nov. 7: Arrest of a group in the far east of Russia accused of building and using mobile malware used to target banks and payment services since 2021;
- Nov. 14: SugarLocker ransomware creators and distributors Alexander Ermakov and Mikhail Lenin respectively received a two-year suspended sentence and get detained for mental health treatment. The U.S. sanctioned Ermakov for perpetrating the attacks against Medibank Private that exposed personal information for 10 million Australians;
- Dec. 2: Moscow courts seized Cryptex cryptocurrency exchange assets after detaining 100 individuals, including founder Sergey Ivanov, who the U.S. sanctioned for allegedly laundering over $720 million in funds from Russian ransomware groups;
- Dec. 2: A Moscow judge sentenced the founder of the notorious darknet market Hydra to a life sentence in one of the country’s harshest penal colonies, and imposed sentences of up to 23 years on 15 of his accomplices;
- Dec. 9: The FSB arrested 11 individuals accused of running an investment fraud call center targeting individuals and businesses in 20 countries across the EU, U.K. and South Korea.
A Russia cybercriminal clamp down would be notable on multiple fronts, not least due to the damage and disruption ransomware groups cause the West, including across critical infrastructure sectors, most notably healthcare. While blockchain analytics firm Chainalysis saw known profits from ransomware drop by one-third last year to $814 million, such attacks continue to cause mass disruption. Taking the major players out of the equation could reshape the global cybercrime ecosystem.
For years, security experts described Russian hackers as being tolerated by the state, provided they followed two rules: never attack either the country or its allies, and do favors on demand for intelligence agencies and law enforcement services.
Moscow now is devoting more resources to combating cybercrime, said Bohuslavskiy, reversing a trend of underfunding an overwhelmed police force that prioritized crimes against Russian citizens. Russia also appears to be retooling to handle more types of computer crime, including the theft of data, which is a repeat tactic used by ransomware groups to extort victims into paying a ransom for a promise such data will get deleted, rather than leaked.
Bohuslavskiy dismisses the common wisdom of Moscow charting a deliberate strategy of welcoming hacking activity inside Russian borders, calling it a “myth.” Last November, Putin signed two federal laws – No. 421-FZ and No. 420-FZ – which respectively add criminal liability for stealing, or illegally storing or handling, people’s personal data; and administrative liability for organizations, including a requirement to properly secure sensitive personal data as well as notify authorities if it gets breached. The latter is backed by fines of up to 3% of an organization’s annual profits.
Ukraine Peace Talks Loom
Regardless, Russia’s tough new stance on cybercrime is emerging at propitious moment for Russian global ambitions, when its domestic hackers could prove an unwanted distraction toward obtaining lasting influence in Ukraine and potentially Europe.
The problem of an active hacking scene previously flat-footed Putin. During the June 2021 U.S.-Russia summit, with Russian troops massed on Ukraine’s border, then U.S. President Joe Biden excoriated Russia’s leader for failing to prevent Russian criminals from hitting Western critical infrastructure, including Colonial Pipeline.
“As a result, instead of entirely keeping the American emphasis on Ukraine, Russians had to be ‘distracted’ by ransomware prevention talks,” RedSense’s Bohuslavskiy said. Very public, if short-lived “crackdowns” shortly thereafter targeted Avaddon and REvil ransomware operatings.
As even more high-stakes negotiations loom, officials appear to be trying to get ahead of the problem. “Russian security forces do not like chatterbox hackers who attract a lot of attention in the West,” the anonymous hacker told Gazeta in the wake of Matveev’s arrest. “The arrest is a warning. I am sure Wazawaka was asked to behave more modestly.”
Of course, they don’t call it “Kremlinology” for nothing. Reading between the lines to capture the full strategic intent of Russian rulers from bits of contradictory evidence doesn’t always yield the correct result – assuming that one even exists.
Strategies take time to execute and even in authoritarian states like Russia, diktats from on high may get lost or modified in execution. Despite the “interesting signals” being sent by Moscow, Recorded Future’s Smilyanets believes ransomware will remain the number-one cyber threat facing organizations this year, involving ever more variants and victims. Early data from the start of this year also points to a recent surge in ransomware attacks, said threat-intelligence firm Cyble.
The only evidence for whether Russia is genuinely cleaning up its cybercriminal underground is a sustained operation that unfolds over time – one that should involve extraditions to the United States and elsewhere where ransomware hackers can face consequences for the harm they’ve caused.