Young people loll on the decks, laughing, drinking, jumping into the water. An expensive pleasure. If you want to charter the yacht, you have to pay 1,300 euros per day. Ekaterina K. * shared the video on social networks. She often posts such holiday greetings. Sometimes like here from Antalya, Turkey, sometimes from a five-star hotel in Dubai, from the Crimean peninsula or from the Maldives.
Her husband Nikolay K. can often be seen in the videos and in the photos. He likes Gucci t-shirts, classy BMW sports cars and big sunglasses. For several months now, he has also been wearing a Vanguard Encrypto on his wrist, a luxury watch with the code of a Bitcoin address milled into the dial. Such a watch costs up to 70,000 euros. Nikolay K.'s own account is private, but his motto can be read openly. Accordingly, he trusts crypto currencies like Bitcoin, with which he earns his money.
Earning in this case means: blackmailing. According to research by Bayerischer Rundfunk and Nikolay K. belongs to a group of internet criminals who collect many millions of euros with their crimes and are almost never caught. Nikolay K. is one of the extremely rare cases in which it has been possible to identify a perpetrator behind the almost perfect crime involving ransomware.
Billions in damage from ransomware
According to investigators from the Baden-Wurttemberg State Criminal Police Office, Nikolay K. belongs to a core group of perpetrators who operate the REvil ransomware. With this blackmail software, the group and other accomplices have attacked companies and institutions all over the western world and cashed in enormous amounts of money.
Ransomware is an artificial word formed from the English terms for blackmail and software. In recent years, criminal gangs using such programs have become a real nuisance. No company, no city administration, no organization is too big or too small to be attacked and, in the worst case, paralyzed. The perpetrators smuggle their programs into foreign computer networks, copy all the data and then encrypt the victim's system. For those affected, their own computers become useless. City administrations have to stop their work, doctors and law firms go bankrupt, factories stand still, hospitals can no longer get their patient files. If you pay the blackmailer, you will receive the key for your data - if you are lucky. Anyone who does not pay, their confidential information is published and the hacked access to the networks is sold to other criminals.
There are several types of such ransomware. REvil, also known as Sodinokibi, is one of the worst and is responsible for billions in damage worldwide. The Federal Office for Information Security (BSI) counts REvil as one of the most dangerous programs in this field. In Germany, for example, the DRK carrier company South-West was attacked in 2019. It is an IT service provider for medical practices and hospitals, which is why several clinics in Rhineland-Palatinate and Saarland had to shut down their computer systems and go into emergency operation.
Blackmail as a rental model
It is unknown who the original code for REvil came from. But there is a core group that offers the code to all those who want to attack victims with it. The developers have set up a lucrative rental model. Criminals can apply to this group and use the software for a fee payable in cryptocurrency. Ransomware as a service is what it means in English. And Nikolay K. is apparently one of those people to whom such criminal rents are paid.
For months, reporters from BR have followed corresponding digital traces in social media, anonymous telegram channels and in the world of cryptocurrencies. For example, they were able to understand that Bitcoin was transferred at least six times from accounts that are linked to criminal operations to an address that is very likely to be attributed to Nikolay K.
If you google the name you use on social media, you will find an email address that was used to register various websites. Several Russian cell phone numbers are linked to these. And one of these mobile phone numbers leads to a Telegram account on which the corresponding Bitcoin address was published. Bitcoins worth more than 400,000 euros were deposited on it. Most likely, these came from extortion, say experts from a company that specializes in evaluating Bitcoin payments and also helps investigators with such analyzes.
It was also such Bitcoin transfers that brought the Baden-Wurttemberg State Criminal Police Office on the trail of Nikolay K. The officials are investigating an attack on the State Theater in Stuttgart in 2019. At that time, an earlier version of REvil called GandCrab was used. The theater's computers were offline for days and handwritten tickets were sold to the audience. The state theater is said to have paid the ransom demanded, and 15,000 euros in crypto currency are said to have been transferred. The LKA officials followed the trail of the money. It led them to Nikolay K. The investigative group is called "Krabbe" - at that time the hacker group was still internationally known under the name of GandCrab. But investigators and IT security experts assume
Usually, despite considerably increased international efforts, the authorities rarely succeed in finding perpetrators of ransomware attacks. And when they do, they usually catch smaller fish, so-called "affiliates", English for partners. Like in Ukraine or like in Canada. These "affiliates" rent the malware from the actual gang and then transfer part of the extorted revenue for it. Backers like Nikolay K. have so far mostly remained in the dark. Mainly because they are often in countries that are not exactly cooperative in investigations and extradition requests. The case of Nikolay K. also shows how difficult it is to arrest the perpetrators behind such extortions and bring them to justice.
In Russia, the perpetrator is out of reach of the authorities
K. lives with his wife in a town in southern Russia in a house with a swimming pool. In the driveway is a BMW with more than 600 hp. The only legal business that can be found in connection with his name is a small bar in a new block of the city. Pictures and videos show a rather sober bar that seems to be about beer, but above all about sports betting. It doesn't look like gigantic sales are being made there. At least none that fit the lifestyle the couple is exhibiting online.
The LKA investigators from Stuttgart watch the social media very closely. They hope to find out in this way when Nikolay K. goes on vacation in a country with which there are cooperation agreements and where he could be arrested. A corresponding arrest warrant should already be ready in the drawer. But Nikolay K. apparently no longer leaves Russia, he apparently spent his last vacation in the Crimea.
Nevertheless, REvil could perhaps become one of the few cases of Internet extortion in which at least the gang structure is cleared up and the perpetrators identified. Not only German investigators are on the trail of the group, the American FBI is also investigating them and has probably already infiltrated them. Reuters recently reported that the American authority had succeeded in hacking the blackmailer's infrastructure. One of the leading figures in the group, who appears in the network under the pseudonym 0_neday, indirectly confirmed this. In a forum for criminal offers, 0_neday wrote: "The server has been compromised, they are looking for me. Good luck everyone; I'm out."
Nikolay K. has probably also learned of the investigation a long time ago. He himself left inquiries from BR unanswered. Officially, the LKA Baden-Württemberg and the responsible public prosecutor's office do not want to comment on the ongoing investigations. But those involved take the view that one has to talk about the success of the investigation. To show how successfully German authorities can work. And to make it clear to the perpetrators that they will not get away with it: "That unsettles you, that scares you off and may lead one or the other to say in the future: 'No, I won't get involved.'"
Political pressure needed
Some of the investigators are also frustrated by the unwillingness of other countries to cooperate. They believe that it takes political pressure to finally change that. "If we had someone to steal these sums of money from a bank robbery, there would be a lot more pressure. But the danger is not understood," said one official.
So political pressure. There is no contradiction from the Federal Ministry of the Interior, which is responsible for the Federal Criminal Police Office and for the German cyber strategy, among other things. They now take the threats posed by cyber criminals just as seriously as the fight against terrorists, it says there.
The US is already trying to put pressure on states hosting ransomware blackmailers. In talks with Russian President Vladimir Putin, US President Joe Biden urged a corresponding agreement . It seems that there are initial successes. At least the Russian media reported that both sides wanted to work more closely together when it came to such acts. But it will take some time before the LKA Baden-Württemberg also benefits from this. Until then, Nikolay K. and his wife can stay the night undisturbed in luxury hotels.
* all names have been changed.
Collaboration: Hakan Tanriverdi and Max Zierer, Bayerischer Rundfunk
0 Comments