Tag Archives: Europol

Phobos Ransomware Ring Busted: Roman Berezhnoy and Egor Nikolaevich Glebov Charged in $16M+ Global Cybercrime Spree

WASHINGTON, D.C. – In a sweeping international operation, the U.S. Justice Department has unsealed charges against two Russian nationals accused of masterminding a global ransomware campaign that extorted over $16 million from victims, including hospitals, schools, and businesses. The operation, involving law enforcement agencies from over a dozen countries, marks a significant blow against the notorious Phobos ransomware group, highlighting the growing threat of cybercrime and the increasing cooperation among nations to combat it.

A Global Threat, A Coordinated Response

The digital age has brought unprecedented connectivity and innovation, but it has also ushered in a new era of crime. Ransomware, a particularly insidious form of cyberattack, has become a global scourge, impacting organizations of all sizes and across all sectors. The Phobos ransomware, known for its aggressive tactics and sophisticated encryption methods, has been at the forefront of this wave of cybercrime.

This week, however, the tide may be turning. The U.S. Justice Department, in collaboration with international partners, announced a major breakthrough in the fight against Phobos, charging two Russian nationals, Roman Berezhnoy (33) and Egor Nikolaevich Glebov (39), with orchestrating a multi-year campaign that targeted over 1,000 victims worldwide. The arrests and subsequent disruption of the group’s infrastructure represent a significant victory for law enforcement and a warning to other cybercriminals.

The Phobos Ransomware: A Deep Dive

Phobos ransomware operates under a “Ransomware-as-a-Service” (RaaS) model. This means that the core developers of the malware (allegedly Berezhnoy, Glebov, and others) lease it out to “affiliates” who carry out the actual attacks. These affiliates infiltrate networks, steal data, encrypt files, and then demand a ransom payment, typically in cryptocurrency, in exchange for a decryption key. The Phobos developers then take a cut of the profits.

This RaaS model allows for a wider reach and makes it more difficult to track down the core perpetrators. Phobos has been particularly active since May 2019, evolving its techniques and targeting a broad range of victims.

Key Features of the Phobos Ransomware Attacks:

  • Sophisticated Encryption: Phobos uses strong encryption algorithms, making it extremely difficult, if not impossible, to recover files without the decryption key.
  • Double Extortion: Not only do the attackers encrypt the victim’s data, but they also threaten to publicly release the stolen data if the ransom isn’t paid. This “double extortion” tactic puts immense pressure on victims, especially those handling sensitive information like patient records or financial data.
  • Targeting of Vulnerable Institutions: The indictment reveals a disturbing pattern of targeting critical infrastructure and vulnerable institutions, including children’s hospitals, healthcare providers, and educational institutions. This demonstrates a callous disregard for the potential human cost of their actions.
  • Darknet Operations: The Phobos group operated a darknet website where they would publish stolen data and reiterate their extortion demands, further amplifying the pressure on victims.
  • Unique Identifier System: Each Phobos deployment was assigned a unique alphanumeric string, linking it to a specific decryption key and affiliate. This system helped the group manage its operations and track payments.
  • Affiliate Network. Affiliates were directed to pay for a decryption key with cryptocurrency to a wallet unique to each affiliate.

The Alleged Masterminds: Roman Berezhnoy and Egor Nikolaevich Glebov

According to the indictment, Berezhnoy and Glebov played central roles in the Phobos operation. They are accused of:

  • Developing and Maintaining the Ransomware: They allegedly were involved in the creation and ongoing development of the Phobos ransomware.
  • Managing the Affiliate Network: They are accused of recruiting and managing the affiliates who carried out the attacks.
  • Operating the Extortion Infrastructure: They allegedly oversaw the darknet website and the communication channels used to extort victims.
  • Collecting and Distributing Ransom Payments: They are accused of managing the cryptocurrency wallets used to collect ransom payments and distribute profits to affiliates.

The 11-count indictment against Berezhnoy and Glebov includes charges of:

  • Wire Fraud Conspiracy
  • Wire Fraud
  • Conspiracy to Commit Computer Fraud and Abuse
  • Causing Intentional Damage to Protected Computers
  • Extortion in Relation to Damage to a Protected Computer
  • Transmitting a Threat to Impair the Confidentiality of Stolen Data
  • Unauthorized Access and Obtaining Information from a Protected Computer

If convicted, they face a maximum penalty of 20 years in prison on each wire fraud-related count, 10 years on each computer damage count, and 5 years on each of the other counts.

The International Investigation: A Model of Cooperation

The takedown of the Phobos operation was a truly international effort. The FBI’s Baltimore Field Office led the U.S. investigation, but the Justice Department explicitly thanked law enforcement partners in:

  • United Kingdom
  • Germany
  • Japan
  • Spain
  • Belgium
  • Poland
  • Czech Republic
  • France
  • Thailand
  • Finland
  • Romania
  • Europol
  • U.S. Department of Defense Cyber Crime Center

This level of cooperation is crucial in combating cybercrime, which often transcends national borders. The coordinated arrests and the disruption of over 100 servers associated with the Phobos network demonstrate the effectiveness of this collaborative approach. Europol and German authorities played a key role in the technical disruption of the group’s infrastructure.

The Impact on Victims: More Than Just Money

While the $16 million+ in ransom payments represents a significant financial loss, the true impact of the Phobos attacks goes far beyond monetary value. For victims, the consequences can be devastating:

  • Data Loss: Even if a ransom is paid, there’s no guarantee that all data will be recovered. In some cases, data may be permanently lost or corrupted.
  • Operational Disruption: Ransomware attacks can cripple an organization’s operations, leading to downtime, lost productivity, and reputational damage.
  • Reputational Damage: Being the victim of a high-profile cyberattack can severely damage an organization’s reputation, eroding trust with customers, partners, and the public.
  • Legal and Regulatory Consequences: Organizations may face legal and regulatory penalties for failing to protect sensitive data, particularly in industries like healthcare and finance.
  • Emotional Distress: For individuals and organizations alike, dealing with a ransomware attack can be incredibly stressful and emotionally draining.

The targeting of hospitals and schools is particularly concerning. A ransomware attack on a hospital can disrupt critical care, potentially putting lives at risk. Attacks on schools can disrupt education and compromise the personal information of students and staff.

The Broader Context: The Rising Tide of Ransomware

The Phobos case is just one example of the growing threat of ransomware. According to cybersecurity experts, ransomware attacks are becoming more frequent, more sophisticated, and more costly. Several factors contribute to this trend:

  • The Rise of Ransomware-as-a-Service (RaaS): The RaaS model makes it easier than ever for criminals, even those with limited technical skills, to launch ransomware attacks.
  • The Increasing Sophistication of Attack Techniques: Ransomware gangs are constantly evolving their tactics, using advanced techniques like spear-phishing, exploiting vulnerabilities in software, and leveraging artificial intelligence to improve their attacks.
  • The Availability of Cryptocurrency: Cryptocurrencies like Bitcoin make it easier for attackers to receive ransom payments anonymously, making it more difficult for law enforcement to track them down.
  • The Lack of Cybersecurity Awareness and Preparedness: Many organizations are still not adequately prepared to defend against ransomware attacks, leaving them vulnerable to exploitation.
  • Geopolitics. International relationships between countries may have a hand in the prevalence of ransomware.

Protecting Against Ransomware: What Organizations Can Do

The fight against ransomware requires a multi-layered approach, combining technical safeguards, employee training, and incident response planning. Here are some key steps organizations can take:

  • Implement Strong Cybersecurity Measures: This includes:
    • Firewalls and Intrusion Detection/Prevention Systems: To block unauthorized access to networks.
    • Endpoint Protection Software: To protect individual computers and devices from malware.
    • Regular Software Updates and Patching: To address known vulnerabilities.
    • Multi-Factor Authentication (MFA): To add an extra layer of security to user accounts.
    • Data Backup and Recovery: To ensure that data can be restored in the event of an attack. Crucially, backups should be stored offline and regularly tested.
    • Network Segmentation: To limit the spread of ransomware if one part of the network is compromised.
    • Vulnerability Scanning and Penetration Testing: To identify and address weaknesses in the security posture.
  • Educate Employees: Human error is often a key factor in successful ransomware attacks. Organizations should provide regular cybersecurity awareness training to employees, teaching them how to:
    • Recognize and avoid phishing emails.
    • Use strong passwords and practice good password hygiene.
    • Identify suspicious websites and downloads.
    • Report any suspected security incidents.
  • Develop an Incident Response Plan: Organizations should have a well-defined plan in place for how to respond to a ransomware attack. This plan should include:
    • Identifying key personnel and their roles.
    • Establishing communication protocols.
    • Procedures for isolating infected systems.
    • Steps for restoring data from backups.
    • Guidelines for engaging with law enforcement and cybersecurity experts.
    • Post-incident analysis and lessons learned.
  • Stay Informed: Organizations should stay up-to-date on the latest ransomware threats and best practices for prevention and response. Resources like the Cybersecurity and Infrastructure Security Agency (CISA) website (StopRansomware.gov) provide valuable information and guidance. CISA Advisory AA24-060A specifically addresses Phobos ransomware.
  • Consider Cyber Insurance: Cyber insurance can help mitigate the financial impact of a ransomware attack, covering costs such as ransom payments, data recovery, legal fees, and public relations expenses.

The Future of Ransomware and Cybercrime

The battle against ransomware is an ongoing one. As technology evolves, so too will the tactics of cybercriminals. However, the international cooperation demonstrated in the Phobos case offers a glimmer of hope. By working together, law enforcement agencies, governments, and the private sector can make it more difficult for ransomware gangs to operate and hold them accountable for their crimes.

Continued investment in cybersecurity research, development, and education is crucial. Raising public awareness about the threat of ransomware and promoting best practices for prevention is also essential. Ultimately, a collective effort is needed to protect ourselves from this growing menace.

The Legal Process: Presumption of Innocence

It’s important to remember that an indictment is merely an allegation. Roman Berezhnoy and Egor Nikolaevich Glebov, like all defendants, are presumed innocent until proven guilty beyond a reasonable doubt in a court of law. A federal district court judge will determine any sentence after considering the U.S. Sentencing 1 Guidelines and other statutory factors. The legal process will unfold in the coming months, and further details will likely emerge as the case progresses. The recent arrest and extradition of Evgenii Ptitsyn, another Russian national allegedly involved in administering Phobos, further underscores the ongoing efforts to dismantle this criminal network.

Cracking Down on Cybercrime: Major Marketplaces “Cracked” and “Nulled” Dismantled in Global Operation

The digital age, while offering unprecedented opportunities for connectivity and innovation, has also spawned a dark underbelly of cybercrime. Online marketplaces, operating in the shadows, facilitate the trade of stolen data, hacking tools, and other illicit goods and services. These platforms empower cybercriminals, enabling them to launch attacks with greater ease and frequency, posing a significant threat to individuals, businesses, and governments alike.

In a major blow to this criminal ecosystem, the U.S. Department of Justice, in collaboration with international law enforcement agencies, has announced the successful dismantling of two of the most prominent cybercrime marketplaces: Cracked and Nulled. This coordinated effort, known as “Operation Talent,” represents a significant victory in the ongoing battle against online crime. This article delves into the details of this operation, exploring the scope of Cracked and Nulled’s activities, the legal actions taken, and the broader implications for cybersecurity.

Operation Talent: A Multinational Strike Against Cybercrime

“Operation Talent” was not a solo mission. It represents a powerful example of international cooperation in combating the borderless nature of cybercrime. The U.S. Department of Justice spearheaded the operation, working in close concert with law enforcement agencies across Europe and Australia. This included authorities from Romania, France, Germany, Spain, Italy, Greece, and the Australian Federal Police, with support from Europol. Such collaborative efforts are crucial, as cybercriminals often operate across national boundaries, exploiting jurisdictional complexities to evade capture.

Cracked: A Hub for Stolen Data and Hacking Tools

The Cracked marketplace, active since March 2018, was a veritable supermarket for cybercriminals. Its offerings were extensive, catering to a wide range of illicit needs:

  • Stolen Login Credentials: Cracked boasted a massive database of stolen usernames, passwords, and other login credentials, sourced from data breaches across numerous websites. This product, which claimed to provide access to “billions of leaked websites,” was recently used in a disturbing sextortion case in the Western District of New York, demonstrating the real-world harm facilitated by the platform.
  • Hacking Tools: The marketplace offered a variety of software tools designed for malicious purposes, including malware distribution, network penetration, and other hacking activities. These tools lower the barrier to entry for aspiring cybercriminals, making it easier for individuals with limited technical expertise to engage in illegal activities.
  • Servers for Hosting Malware and Stolen Data: Cracked provided infrastructure for cybercriminals to host their malicious content, further enabling their operations.
  • Payment Processor (Sellix): Cracked even had its own dedicated payment processor, Sellix, facilitating transactions and ensuring anonymity for buyers and sellers.
  • Bulletproof Hosting Service: To further protect its users, Cracked offered access to a “bulletproof” hosting service, designed to resist takedown attempts by law enforcement.

Cracked’s impact was staggering. With over four million users, 28 million posts advertising illicit goods, and an estimated $4 million in revenue, it impacted at least 17 million victims in the United States alone.

The Sextortion Case: A Chilling Example of Cracked’s Impact

The press release highlights a specific case in the Western District of New York that illustrates the devastating consequences of Cracked’s operations. A cybercriminal used the stolen credential database offered on Cracked to gain unauthorized access to a woman’s online account. This access was then used to cyberstalk the victim, sending sexually demeaning and threatening messages. This case underscores the personal and emotional toll that cybercrime, facilitated by platforms like Cracked, can take on individuals.

Legal Action Against Cracked

The FBI, working with international partners, meticulously tracked down the infrastructure supporting Cracked. They identified eight domain names and multiple servers used to operate the marketplace, along with the servers and domains associated with Sellix and the bulletproof hosting service.

Through domestic and international legal processes, all these domains and servers have been seized. Now, anyone attempting to access these domains will be greeted with a seizure banner, a clear message that the platform has been shut down by law enforcement.

The FBI Buffalo Field Office is leading the investigation, with prosecution handled by Senior Counsel Thomas Dougherty of the Criminal Division’s Computer Crime and Intellectual Property Section (CCIPS) and Assistant U.S. Attorney Charles Kruly for the Western District of New York.

Nulled: Another Major Cybercrime Marketplace Dismantled

Nulled, in operation since 2016, was another major player in the cybercrime underworld. It offered a similar array of illicit goods and services, including:

  • Stolen Login Credentials: Like Cracked, Nulled provided access to a vast database of stolen login credentials.
  • Stolen Identification Documents: Nulled went a step further, offering stolen identification documents, such as social security numbers. One advertised product claimed to contain the names and social security numbers of 500,000 American citizens, highlighting the severe risk of identity theft posed by the platform.
  • Hacking Tools: Nulled also offered a selection of hacking tools, further contributing to the proliferation of cybercrime.

Nulled was even larger than Cracked, boasting over five million users, 43 million posts, and an estimated $1 million in annual revenue.

Charges Against Lucas Sohn: A Key Nulled Administrator

The Justice Department’s operation against Nulled also resulted in charges against a key administrator, Lucas Sohn, a 29-year-old Argentinian national residing in Spain. According to the unsealed complaint, Sohn played a crucial role in Nulled’s operations, including:

  • Active Administrator: Sohn was actively involved in the day-to-day management of the marketplace.
  • Escrow Services: He provided escrow services, facilitating transactions between buyers and sellers of stolen data and other illicit goods. This added a layer of trust and security for users, further encouraging participation in the illegal activities facilitated by Nulled.

Sohn now faces serious charges, including:

  • Conspiracy to traffic in passwords
  • Access device fraud
  • Identity fraud

If convicted, he could face up to 15 years in prison.

Legal Action Against Nulled

Similar to the operation against Cracked, the FBI, with international cooperation, identified and seized the servers and domain used to operate Nulled. Visitors to the Nulled domain will now also encounter a seizure banner.

The FBI Austin Cyber Task Force is leading the investigation, with participation from the Naval Criminal Investigative Service, IRS Criminal Investigation, Defense Criminal Investigative Service, and the Department of the Army Criminal Investigation Division, among others. Assistant U.S. Attorneys G. Karthik Srinivasan and Christopher Mangels for the Western District of Texas are prosecuting the case, with Assistant U.S. Attorney Mark Tindall handling the forfeiture component.

The Global Effort Behind Operation Talent

The success of Operation Talent is a testament to the power of international collaboration in combating cybercrime. The Justice Department acknowledges the significant contributions of law enforcement agencies in Australia, France, Germany, Spain, Greece, Italy, and Romania, as well as Europol. The Justice Department’s Office of International Affairs also played a crucial role in coordinating these efforts.

The Broader Implications for Cybersecurity

The takedown of Cracked and Nulled is a major victory in the fight against cybercrime, but it’s important to recognize that it’s just one battle in an ongoing war. These platforms are likely to be replaced by others, and cybercriminals will continue to adapt their tactics.

However, Operation Talent sends a strong message to the cybercriminal community: Law enforcement agencies are actively working together to disrupt their operations and bring them to justice. This operation also highlights the importance of:

  • Robust Cybersecurity Practices: Individuals and organizations must prioritize cybersecurity, implementing strong passwords, multi-factor authentication, and other security measures to protect themselves from data breaches and cyberattacks.
  • Reporting Cybercrime: Victims of cybercrime should report incidents to law enforcement to aid in investigations and prosecutions.
  • International Cooperation: Continued collaboration between law enforcement agencies around the world is essential to combat the global nature of cybercrime.
  • Public Awareness: Raising public awareness about the dangers of cybercrime and the tactics used by cybercriminals is crucial in preventing future attacks.

Conclusion

The dismantling of Cracked and Nulled through Operation Talent is a significant achievement in the fight against cybercrime. It demonstrates the effectiveness of international law enforcement cooperation and the commitment to combating the growing threat of online crime. While the battle is far from over, this operation serves as a powerful deterrent to cybercriminals and a reminder that their activities will not go unpunished. As the digital landscape continues to evolve, continued vigilance, robust cybersecurity practices, and international collaboration will be essential to safeguarding individuals, businesses, and nations from the ever-present threat of cybercrime. The war against cybercrime is far from over, but with continued effort and cooperation, we can make the digital world a safer place for everyone.

Action Against International VAT Fraud

Eight Member States Take Action Against International VAT Fraud

Yesterday, from a coordination centre at Eurojust, Europol supported an international action day against a criminal network involved in international VAT fraud and money laundering defrauding EU citizens of approximately EUR 57 million in tax revenues via companies selling electronic items, hardware and software.

Searches of homes and premises, seizures and arrests were carried out in eight countries, starting in the early hours of the morning.
Europol deployed a mobile office at the coordination centre and a forensic analyst to Germany to facilitate real-time information exchange and cross-match analysis of the data collected. Letters of Request and other judicial instruments were facilitated on the spot.

The international cooperation leading to today’s joint n began in June 2015, when a German prosecutor at the Bielefeld Public Prosecution Office informed Eurojust about a preliminary investigation it has been carrying out regarding a complex VAT fraud case, and enquired whether France was also investigating the same companies as missing traders or knew of other investigations concerning those suspects.

Three coordination meetings were held at Eurojust in The Hague to facilitate, progress and conclude four ongoing investigations at national level in Germany and France. All parties involved agreed, at an early stage, to coordinate their national activities, and to participate in a joint action day, making efforts to avoid both adversely affecting the ongoing investigations in the other Member States and possible conflicts of jurisdiction.

This coordination centre, initiated by the Bielefeld Public Prosecutor’s Office, the Paris National Financial Prosecutor’s Office and an investigative judge of the Paris court specialised in financial investigations, with the support of the French National Tax Intelligence Directorate (DNEF), was set up by the German and French National Desks at Eurojust in close cooperation with Cyprus, Italy, Latvia, Luxembourg, Poland and the UK.

Figures at a glance

  • Number of arrests: 7
  • Number of freezing/seizure orders: 27
  • Number of searches: 57
  • Number of hearings of witnesses and suspects: 12
  • Assets seized: more than EUR 4.5 million, including seized IT products

Michael Rauschenbach, Europol’s Head of Serious and Organised Crime, said:
Once again, decisive and co-ordinated action by the Member States, supported throughout by Europol and Eurojust, demonstrates to organised criminal gangs that their fraudulent activities will not be tolerated. Value Added Tax fraud is not a victimless crime, nor a ‘white collar’ theft from Governments; this money is stolen from the citizens of the European Union as it deprives our people of the means of investment for essential public services, such as hospitals, schools and infrastructure.

Ms Gabriele Launhardt, Deputy National Member at the German Desk at Eurojust, said:
This operation sends a clear message that Eurojust and its partners help the national authorities of the Member States to join forces across national borders to pursue those we suspect of involvement in organised crime. Through our coordination meetings and the coordination centre, we contributed to preventing this group from hiding behind national borders and continuing to defraud taxpayers of huge amounts of tax money.