Cybercrime , Fraud Management & Cybercrime , Ransomware
Suspected Ransom Cartel Operator Extradited to the US
Maksim Silnikau, aka 'J.P.Morgan,' Charged in New Jersey and Virginia Federal CourtA pioneer of the ransomware-as-a-service model appeared in U.S. federal court Tuesday where he faces a slew of charges stemming from a nearly two-decade online criminal career.
See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk
Belarussian and Ukrainian dual-national Maksim Silnikau, 38, allegedly led two multiyear cybercrime schemes for which he faces federal criminal indictments in New Jersey and Virginia. His online handles include "J.P.Morgan," "lansky," and "xxx."
Poland extradited Silnikau to the United States on Friday; authorities first arrested him in the southern Spanish seaside town of Estepona in July 2023. Silnikau allegedly was a key player in the Reveton criminal group, "the first ever ransomware-as-a-service business model," according to the U.K. National Crime Agency, which disclosed the Spanish, British and U.S. operation that led to Silnikau's capture.
Reveton gave low-skilled cybercriminals access, for a fee, to malware that locked users out of their computers. Reveton displayed messages putatively from law enforcement accusing victims of downloading illegal content and copyrighted applications. The British agency said Reveton scammed approximately $400,000 from victims every month from 2012 to 2014.
Virginia prosecutors concentrated on Silnikau's time helming the Ransom Cartel operation, charging him with seven counts including aggravated identity theft, wire fraud and conspiracy to commit offenses against the United States.
The indictment quotes a May 4, 2021, ad posted by Silnikau and co-conspirators on a Russian-speaking online forum seeking to buy access to compromised computers in which they said they "will consider working with you on commission (%)." Prosecutors say Silnikau also established and maintained the dark web panel through which Ransom Cartel communicated with affiliates. Such panels are a mainstay of ransomware-as-a-service operations and increasingly the targets of law enforcement takedown operations (see: Ransomware Operation LockBit Relaunches Dark Web Leak Site).
Malware researchers have noted similarities between the Ransom Cartel operation and REvil, the Russian-speaking ransomware group that was unusually dismantled by Russia's Federal Security Agency, the FSB, in January 2022 (see: Suspected REvil Ransomware Spinoff 'Ransom Cartel' Debuts).
Silnikau's prosecution in New Jersey - where he made his initial U.S. court appearance - centers on a maladvertising spree that began in October 2013 and lasted through March 2022. Along with indicted co-conspirators Vladimir Kadariya, 38, from Belarus, and Andrei Tarasov, 33, from Russia, Silnikau allegedly disseminated the Angler Exploit Kit through malicious advertising campaigns dressed up to appear legitimate. "At its peak, Angler represented 40% of all exploit kit infections, having targeted around 100,000 devices and with an estimated annual turnover of around $34 million," the U.K. National Crime Agency said.
The indicted trio also used the online advertising stack to distribute locker software - malware that locks up devices for extortion rather than encrypting them - and scareware.
Silnikau, Kadariya and Tarasov face up to 57 years in prison if convicted. Silnikau faces the possibility of another 20 years for charges made in Virginia federal court.
Prosecutors said Silnikau began frequenting Russian-language cybercrime forums as early as 2005 and was a member of Direct Connection, an underground forums for elite cybercriminals from 2011 until its 2016 closure by law enforcement.