Kai Biermann
The video shows a white yacht bobbing in the blue waters of the Mediterranean. Young people are lolling about on deck, laughing, drinking and jumping into the water. It’s expensive fun: Chartering the yacht costs 1,300 euros per day. The video was shared on social media by Ekaterina K.*, whose account frequently includes such vacation clips. This video is from Antalya, on the south coast of Turkey, but others have come from a five-star hotel in Dubai, from the Crimean Peninsula, or even from the Maldives.
Her husband Nikolay K. often appears in the videos and photos she posts. He seems to prefer T-shirts from Gucci, luxurious BMW sportscars and large sunglasses. For the past several months, he has also been wearing a Vanguard Encrypto on his wrist, a type of luxury watch that has the code of a Bitcoin address engraved into its dial and costs up to 70,000 euros. Nikolay K.’s own account is private, but his motto is open to all and makes clear his faith in cryptocurrencies, like Bitcoin – which are how he earns his money.
In this case, though, "extortion" might be the more accurate term. According to reporting conducted jointly by the German public broadcaster Bayerischer Rundfunk and ZEIT ONLINE, Nikolay K. is part of a group of online extortionists who earn many millions of euros for their crimes and are almost never caught. Nikolay K. is one of the extremely rare cases in which it has been possible to identify the perpetrator behind a nearly perfect crime.
Investigators from the Baden-Württemberg State Criminal Police Office (LKA) are convinced that Nikolay K. is part of a core group of perpetrators who operate ransomware called REvil. With the help of this extortion software, this core group together with other accomplices have attacked companies and institutions across the Western world and collected enormous amounts of money.
No one too large or too small to be attacked
In recent years, criminal gangs using ransomware have become a plague. No company, no city administration, no organization is too large or too small to be attacked and, in the worst case, completely paralyzed. The perpetrators smuggle their programs into foreign computer networks, copy all the data, and then encrypt the system. The computers that are part of that system become useless. City administrations cannot do their work, medical practices and law firms go bankrupt, factories grind to a standstill, and hospitals can no longer access patient files. Those who pay the extortionists are then sent a key to access their data – if they are lucky. Those who don’t pay risk having their confidential information published or having the hacked access to their networks sold onwards to other criminals.
There are several different forms of this kind ransomware. REvil, which is also known as Sodinokibi, is one of the most pernicious and has been responsible for multi-billion dollars in damages around the world. The German Federal Office for Information Security (BSI) classifies REvil as one of the most dangerous programs in the field. In Germany, it was used in 2019 to attack DRK Trägergesellschaft Süd-West – an IT company that serves doctors’ offices and hospitals. Several clinics in the western German state of Rhineland-Palatinate and in the southwestern state of Saarland had to shut down their computer systems and go into emergency operations.
It’s not known who first developed the code for REvil. But there is a core group that sells it to anyone interested in using it for extortionist activities. The developers have established a lucrative rental model: Criminals can apply with the group to use the software for a fee to be paid in cryptocurrency, a model called "ransomware as a service." And Nikolay K. is apparently among those to whom such criminal rental payments are made.
Reporters from Bayerischer Rundfunk and ZEIT ONLINE spent several months following digital tracks on social media, on anonymous Telegram channels and in the world of cryptocurrency. The reporters were able to establish that bitcoin was transferred on at least six occasions from accounts connected to criminal enterprises to an address that most likely belongs to Nikolay K.
If you Google the name he uses on social media, you will find an email address used to register various websites. These websites are connected to several Russian mobile phone numbers. And one of these mobile numbers leads to a Telegram account on which the Bitcoin address was published. More than 400,000 euros in Bitcoin have been paid into this account. Experts from a company specialized in evaluating Bitcoin payments and which also assists investigators in such analyses say that this money is most likely the product of extortion.
Such Bitcoin transactions are what initially led the Baden-Württemberg LKA to Nikolay K. The investigators are looking into a 2019 attack on the Staatstheater in Stuttgart, in which an earlier version of REvil, called Gandcrab, was used. The theater’s computers were offline for several days, and staff were forced to sell handwritten tickets. The Staatstheater is thought to have ultimately paid the ransom – 15,000 euros in cryptocurrency – and the LKA then followed the tracks left behind by that payment. They led to Nikolay K. At the time, the hacker group was still known internationally under the name Gandcrab, but investigators and IT security experts believe that the same group is now responsible for REvil.
Ransomware as a service
Authorities rarely succeed in finding the perpetrators of ransomware attacks, despite stepped-up international efforts. And when they do, they mostly catch small fish, so-called affiliates, as was the case on two recent occasions in Ukraine and Canada. These affiliates rent the malware from the actual criminal group and afterwards transfer a portion of the extorted ransom money in exchange. The bigger fish, people like Nikolay K., have thus far mostly remained in the shadows, largely because they are frequently located in countries that aren’t exactly cooperative when it comes to investigations and extradition. Nikolay K.’s case also shows how difficult it can be to arrest the perpetrators behind such extortion operations and bring them to justice.
Nikolay K. lives with his wife in a southern Russian town, in a house with a swimming pool. There is a BMW with more than 600 horsepower parked in the driveway. The only legal business that can be found in connection with his name is a small bar in a recently built residential block in the city. Pictures and videos show a simply furnished bar focused on sports betting – not exactly the kind of venue that rakes in enormous amounts of money. And it’s certainly not the kind that could fund the lifestyle showed off by the couple on social media.
The LKA investigators from Stuttgart are monitoring social media closely in the hopes of learning when Nikolay K. will go on vacation to a country which has a cooperation agreement with Germany and in which he could then be arrested. An arrest warrant has already been prepared. But Nikolay K. apparently no longer travels outside of the country and seems to have spent his last vacation in Crimea.
Nevertheless, REvil could become one of the few cases of online extortion in which the gang structure is, at least, clarified and the perpetrators are identified. And it’s not just German investigators who are on the group’s trail. According to Reuters, the FBI in the U.S. is also investigating the group and has likely infiltrated them. One of the leading figures in the group, who appears online under the pseudonym 0_neday, has indirectly confirmed as much. "The server was compromised, and they were looking for me," 0_neday wrote in a forum for criminal offers. "Good luck everyone; I’m off."
More political pressure
It is likely that Nikolay K. has also learned of the investigation. Officially, the LKA in Baden Württemburg and the state prosecutor’s office responsible have declined to comment on the ongoing investigation. But some of those involved believe that it is important to talk about the success of the investigation. And to demonstrate that German agencies, too, are competent in the field – if only as a message to the perpetrators that they won’t get away. "It unsettles, acts as a deterrence and perhaps makes one or the other in the future say, ‘No, I won’t get involved in that,’" says one of those involved in the investigation.
Some of the investigators are also frustrated by the lack of cooperation from other countries and believe that more political pressure is necessary to finally change the situation. "If there was someone out there stealing these sums of money by robbing banks, there would be much more pressure. But the danger is not understood," says one official.
The need for more action is not disputed by the German Interior Ministry, which is responsible for the Federal Criminal Police Office and Germany’s cyber-strategy. They say that cybercriminal threats are now being taken as seriously as the fight against terrorism.
The U.S. is already trying to apply pressure to the countries sheltering ransomware extortionists. During conversations with Russian President Vladimir Putin, U.S. President Joe Biden pushed for an agreement on the issue. And some progress seems to have been made. Russian media, in any case, has reported that the two sides intend to work together more closely in the future when it comes to such cyber-extortion. But it will likely take some time before the LKA in Baden-Württemberg sees the benefits. And until then, Nikolay K. and his wife can keep spending nights in luxury hotels.
No comments:
Post a Comment