US accuses man of being 'elite' ransomware pioneer they've hunted for years
Authorities allege 'J.P. Morgan' practiced ‘extreme operational and online security’
The US has charged a suspect they claim is a Belarusian-Ukrainian cybercriminal whose offenses date back to 2011.
Maksim Silnikau, 38, was recently extradited to the US from Poland and was formally indicted in both New Jersey and Virginia for crimes relating to malvertising and ransomware respectively.
Silnikau is accused of being behind various adopted online aliases over the years, including "J.P.Morgan," "xxx," and "lansky," among others, the Department of Justice said.
The UK's National Crime Agency (NCA) said in a concurrent announcement that it had been investigating Silnikau since 2015 and that it led the international operation that led to the man's arrest in Spain last year.
The NCA claimed Silnikau was an "elite cybercriminal," was "one of the world's most prolific Russian-speaking cybercrime actors," "practiced extreme operational and online security in an effort to avoid law enforcement detection," and was the founder of the first-ever ransomware-as-a-service group, Reveton.
Silnikau's alleged associates – Volodymyr Kadariya, 38, from Belarus, and Andrei Tarasov, 33, from Russia – are also facing charges in the US but haven't yet been arrested.
Kadariya and Tarasov are alleged to have helped Silnikau with one of his cybercrime endeavors – a malware and malvertising scheme that ran for nearly a decade between October 2013 and March 2022.
Among the more notable offenses the suspects are accused of is involvement in the distribution of Angler, an exploit kit considered during its heyday as among the most effective of its kind, before mysteriously disappearing eight years ago.
"As alleged in the indictment, Silnikau and his co-conspirators distributed online advertisements to millions of internet users for the purpose of delivering malicious content," said principal deputy assistant attorney general Nicole M. Argentieri, head of the Justice Department's Criminal Division.
"These ads appeared legitimate but were actually designed to deliver malware that would compromise users' devices or to deliver 'scareware' designed to trick users into providing their sensitive personal information. Silnikau's arrest and extradition demonstrate that, working with its domestic and international partners, the Criminal Division is committed to bringing cybercriminals who target US victims to justice, no matter where they are located."
Indictment number one - New Jersey
In Newark, New Jersey, where this week Silnikau's charges were unsealed, he will be tried in connection to the long-running malvertising campaigns between 2023 and 2022.
These campaigns took various forms but typically, according to the indictment, Silnikau et al would allegedly purchase ad space on websites and redirect web users to malicious domains where malware would be delivered to their devices. The DoJ said internet users were redirected to the malicious campaigns millions of times.
These ads would sometimes deliver scareware too – think of those crude early-internet-era popups trying to convince users they have been hacked, or another benign message along those kinds of lines. They would then, of course, prompt users to download software that would "fix" the issue but instead drop the real malware which would often lead to remote desktop access or data theft.
But the aspect of this campaign authorities paid the most attention to was its distribution of Angler. The DoJ alleged Silnikau and co "took a leading role" in the distribution of the dangerous exploit kit, which at the time was the malware loader of choice for cybercriminals.
Kaspersky told us after Angler went missing in 2016 that it believed those responsible were members of the Russian Lurk group, many of whom were arrested in 2016 and 2017 in connection with the group's eponymous banking trojan and Angler.
"At its peak, Angler represented 40 percent of all exploit kit infections, having targeted around 100,000 devices and with an estimated annual turnover of around $34 million," the NCA said today.
Indictment number two – Virginia
The second indictment relates to Silnikau's alleged role as a ransomware boss at the Ransom Cartel group, which spun up in 2021.
Silnikau is alleged to have been a member of Russian cybercrime forums since 2005 and it was on these sites he is believed to have recruited affiliates to work for the Cartel.
The DoJ said in addition to running the op, he would also provide affiliates with intel to carry out attacks, such as genuine login credentials for user accounts at target organizations and details of already-compromised devices.
The NCA added to this, saying Silnikau was also responsible for the Reveton ransomware group, the one that pioneered the ransomware-as-a-service business model that almost every modern group still uses.
"Victims of Reveton received messages purporting to be from law enforcement, with a notification that would lock their screen and system, accusing them of downloading illegal content such as child abuse material and copyrighted programs," the NCA said.
"Reveton could detect the use of a webcam and take an image of the user to accompany the notification with a demand for payment. Victims were then coerced into paying large fines through fear of imprisonment or to regain access to their devices.
"The scam resulted in approximately $400,000 being extorted from victims every month from 2012 to 2014."
A man cops believe is a former associate of Silnikau, British national Zain Qaiser, was sentenced for his role in the Reveton operation in 2019. The NCA claim he worked with Silnikau to embed Angler in pornography website ads, which would then load Revton and extort victims.
Qaiser was sentenced to six years and five months in prison, meaning he'll be walking free around the same time Silnikau's case comes to a close.
- Feds bust minor league Radar/Dispossessor ransomware gang
- The UN unanimously agrees that cybercrime is bad, mkay?
- Sonic Automotive says ransomware-linked CDK software outage cost it $30M
- UK plans to revamp national cyber defense tools are already in motion
"In the District of New Jersey, Silnikau, Kadariya, and Tarasov are charged with conspiracy to commit wire fraud, conspiracy to commit computer fraud, and two counts of substantive wire fraud," the DoJ said. "If convicted, Silnikau, Kadariya, and Tarasov face maximum penalties of 27 years in prison for wire fraud conspiracy, 10 years in prison for computer fraud conspiracy, counts, and 20 years in prison on each wire fraud count.
"In the Eastern District of Virginia, Silnikau is charged with conspiracy to commit computer fraud and abuse, conspiracy to commit wire fraud, conspiracy to commit access device fraud, and two counts each of wire fraud and aggravated identity theft. He faces a mandatory minimum of two years in prison and a maximum penalty of 20 years in prison." ®