by Paul Ducklin
Back in June this year, we wrote about a ransomware-related bust in Ukraine, featuring a police video in which a high-security door was dismantled with a BFG (Big Fat Grinder), substantial piles of cash were counted out and packed into evidence bags, and numerous fancy cars were seized.
Well, here’s another bust video from the Кіберполіція України, or Ukranian Cyberpolice:
The BFG is back, but thankfully it wasn’t needed inside what looks like a rather modern and upmarket apartment block, because the suspects gingerly opened the door of their own accord when they heard the police outside.
This time, we didn’t spot a breadmaker in the kitchen, or any trendy candles on the dining table, as we did in the pervious video, but you will once again notice that Apple Macs seem to be the laptop of choice for these suspects, along with a fearsome-looking illuminated gaming rig that got seized along with a sea of other electronic gear.
In case you’re wondering why cops in cases like this often get warrants to tow away suspects’ vehicles: it’s not just because flash cars are often considered “proceeds of crime”, but also because the average modern car may contain significant amounts of electronic evidence, for example by way of dashcams, anti-theft trackers, satnavs and mobile phones paired over Blueooth.
Last time, most of the money we saw being counted out by the cops was Ukrainian cash; this time, the cops came across a small but nevertheless substantial stash of Benjamins (US $100 bills, which feature a drawing of Benjamin Franklin) in what looked very much like the proverbial hiding place: a shoe-box in a clothing cupboard:
According to Europol, the banknotes in the box added up to $375,000 altogether, and the police also managed to freeze more than $1.5 million (EUR 1.3m) in cryptocurrency.
The report doesn’t list which cryptocurrencies were frozen, and doesn’t say whether those assets might ever actually be reclaimable if the suspects are ultimately convicted.
That’s because preventing a cryptocoin stash from being spent, or at least from being “cashed out” on an official crypocurrency exchange, isn’t necessarily enough to permit those funds from being accessed and restored to their rightful owners or paid over to a court.
As an analogy, imagine that the police had a warrant to seize the ATM card needed to withdraw stolen money from a suspect’s bank account, but they didn’t have the PIN for the card, and the bank was unable to release the funds any other way, warrant or not. The funds would be off-limits not only to the suspect, but also to everyone else involved.
Two $100,000 cars were towed away, too, and two suspects arrested.
Somehow, we don’t think this will make much of a dent on the ransomware scene (if we assume, for the time being, that the suspects really were involved in ransomware criminality).
We don’t even know which ransomware gang these suspects were affiliated with, but the mention of ransom demands as high as EUR 70,000,000 in Europol’s press release has led to some reporters inferring that these busts must be connected to the infamous Kaseya breach, where crooks used bugs in Kaseya’s network management tools to break into not one but many networks at the same time.
In the Kaseya attack, the crooks were allegedly part of the REvil ransomware “affiliate network”, and apparently ended up biting off more than they could realistically chew.
This led to a sort of “all-you-can-eat” offer from the core criminals, suggesting that the victims should club together to pay a whopping $70 million one-time fee, in return for a universal decryption tool that would (or so the crooks claimed) work on any and every infected computer.
Nevertheless, if these suspects really are part of the modern big-money raonsomware underground, their arrest will surely do no harm, and may act as a disincentive to anyone currently sitting on the fringes of the cybercrime scene wondering if it’s worth the risk of getting fully involved.