Authorities in Australia, the UK and america this week levied monetary sanctions in opposition to a Russian man accused of stealing knowledge on almost 10 million prospects of the Australian medical health insurance large Medibank. 33-year-old Aleksandr Ermakov allegedly stole and leaked the Medibank knowledge whereas working with certainly one of Russia’s most harmful ransomware teams, however little extra is shared concerning the accused. Right here’s a more in-depth take a look at the actions of Mr. Ermakov’s alleged hacker handles.
Aleksandr Ermakov, 33, of Russia. Picture: Australian Division of International Affairs and Commerce.
The allegations in opposition to Ermakov mark the primary time Australia has sanctioned a cybercriminal. The paperwork launched by the Australian authorities included a number of images of Mr. Ermakov, and it was clear they needed to ship a message that this was private.
It’s not arduous to see why. The attackers who broke into Medibank in October 2022 stole 9.7 million data on present and former Medibank prospects. When the corporate refused to pay a $10 million ransom demand, the hackers selectively leaked extremely delicate well being data, together with these tied to abortions, HIV and alcohol abuse.
The U.S. authorities says Ermakov and the opposite actors behind the Medibank hack are believed to be linked to the Russia-backed cybercrime gang REvil.
“REvil was among the many most infamous cybercrime gangs on this planet till July 2021 once they disappeared. REvil is a ransomware-as-a-service (RaaS) operation and customarily motivated by monetary acquire,” a statement from the U.S. Division of the Treasury reads. “REvil ransomware has been deployed on roughly 175,000 computer systems worldwide, with a minimum of $200 million paid in ransom.”
The sanctions say Ermakov glided by a number of aliases on Russian cybercrime boards, together with GustaveDore, JimJones, and Blade Runner. A search on the deal with GustaveDore on the cyber intelligence platform Intel 471 exhibits this person created a ransomware associates program in November 2021 known as Sugar (a.ok.a. Encoded01), which targeted on targeting single computers and end-users instead of corporations.
An advert for the ransomware-as-a-service program Sugar posted by GustaveDore warns readers in opposition to sharing data with safety researchers, legislation enforcement, or “mates of Krebs.”
In November 2020, Intel 471 analysts concluded that GustaveDore’s alias JimJones “was utilizing and working a number of completely different ransomware strains, together with a non-public undisclosed pressure and one developed by the REvil gang.”
In 2020, GustaveDore marketed on a number of Russian dialogue boards that he was a part of a Russian expertise agency known as Shtazi, which might be employed for laptop programming, internet growth, and “fame administration.” Shtazi’s web site stays in operation at this time.
A Google-translated model of Shtazi dot ru. Picture: Archive.org.
The third consequence when one searches for shtazi[.]ru in Google is an Instagram publish from a person named Mikhail Borisovich Shefel, who promotes Shtazi’s providers as if it had been additionally his enterprise. If this identify sounds acquainted, it’s as a result of in December 2023 KrebsOnSecurity identified Mr. Shefel as “Rescator,” the cybercriminal id tied to tens of hundreds of thousands of fee playing cards that had been stolen in 2013 and 2014 from massive field retailers Target and Home Depot, amongst others.
How shut was the connection between GustaveDore and Mr. Shefel? The Treasury Division’s sanctions web page says Ermakov used the e-mail handle [email protected]. A seek for this e-mail at DomainTools.com exhibits it was used to register only one area identify: millioner1[.]com. DomainTools additional finds {that a} telephone quantity tied to Mr. Shefel (79856696666) was used to register two domains: millioner[.]pw, and shtazi[.]web.
The December 2023 story right here that outed Mr. Shefel as Rescator famous that Shefel lately modified his final identify to “Lenin” and had launched a service known as Lenin[.]biz that sells bodily USSR-era Ruble notes bearing the picture of Vladimir Lenin, the founding father of the Soviet Union. The Instagram account for Mr. Shefel contains pictures of stacked USSR-era Ruble notes, in addition to a number of hyperlinks to Shtazi.
The Instagram account of Mikhail Borisovich Shefel, aka MikeMike aka Rescator.
Intel 471’s analysis revealed Ermakov was affiliated ultimately with REvil as a result of the stolen Medibank knowledge was revealed on a weblog that had one time been managed by REvil associates who carried out assaults and paid an affiliate payment to the gang.
However by the point of the Medibank hack, the REvil group had largely scattered after a collection of high-profile assaults led to the group being disrupted by legislation enforcement. In November 2021, Europol announced it arrested seven REvil associates who collectively made greater than $230 million price of ransom calls for since 2019. On the identical time, U.S. authorities unsealed two indictments against a pair of accused REvil cybercriminals.
“The posting of Medibank’s knowledge on that weblog, nonetheless, indicated a reference to that group, though the connection wasn’t clear on the time,” Intel 471 wrote. “This is smart looking back, as Ermakov’s group had additionally been a REvil affiliate.”
It’s straightforward to dismiss sanctions like these as ineffective, as a result of so long as Mr. Ermakov stays in Russia he has little to worry of arrest. Nonetheless, his alleged function as an obvious prime member of REvil paints a goal on him as somebody who seemingly possesses massive sums of cryptocurrency, said Patrick Grey, the Australian co-host and founding father of the safety information podcast Dangerous Enterprise.
“I’ve seen a couple of folks poo-poohing the sanctions…however the sanctions element is definitely much less essential than the doxing element,” Grey mentioned. “As a result of this man’s life simply obtained much more sophisticated. He’s in all probability going to should pay some bribes to remain out of bother. Each single prison in Russia now is aware of he’s a weak 33 12 months outdated with an absolute ton of bitcoin. So this isn’t a contented time for him.”
