Authorities in Australia, the UK and the USA this week levied monetary sanctions towards a Russian man accused of stealing knowledge on practically 10 million prospects of the Australian medical insurance large Medibank. 33-year-old Aleksandr Ermakov allegedly stole and leaked the Medibank knowledge whereas working with considered one of Russia’s most damaging ransomware teams, however little extra is shared concerning the accused. Right here’s a more in-depth take a look at the actions of Mr. Ermakov’s alleged hacker handles.
Aleksandr Ermakov, 33, of Russia. Picture: Australian Division of Overseas Affairs and Commerce.
The allegations towards Ermakov mark the primary time Australia has sanctioned a cybercriminal. The paperwork launched by the Australian authorities included a number of images of Mr. Ermakov, and it was clear they needed to ship a message that this was private.
It’s not exhausting to see why. The attackers who broke into Medibank in October 2022 stole 9.7 million information on present and former Medibank prospects. When the corporate refused to pay a $10 million ransom demand, the hackers selectively leaked extremely delicate well being information, together with these tied to abortions, HIV and alcohol abuse.
The U.S. authorities says Ermakov and the opposite actors behind the Medibank hack are believed to be linked to the Russia-backed cybercrime gang REvil.
“REvil was among the many most infamous cybercrime gangs on this planet till July 2021 once they disappeared. REvil is a ransomware-as-a-service (RaaS) operation and usually motivated by monetary acquire,” a assertion from the U.S. Division of the Treasury reads. “REvil ransomware has been deployed on roughly 175,000 computer systems worldwide, with not less than $200 million paid in ransom.”
The sanctions say Ermakov glided by a number of aliases on Russian cybercrime boards, together with GustaveDore, JimJones, and Blade Runner. A search on the deal with GustaveDore on the cyber intelligence platform Intel 471 reveals this consumer created a ransomware associates program in November 2021 known as Sugar (a.ok.a. Encoded01), which targeted on concentrating on single computer systems and end-users as a substitute of firms.
An advert for the ransomware-as-a-service program Sugar posted by GustaveDore warns readers towards sharing info with safety researchers, legislation enforcement, or “buddies of Krebs.”
In November 2020, Intel 471 analysts concluded that GustaveDore’s alias JimJones “was utilizing and working a number of completely different ransomware strains, together with a personal undisclosed pressure and one developed by the REvil gang.”
In 2020, GustaveDore marketed on a number of Russian dialogue boards that he was a part of a Russian expertise agency known as Shtazi, which could possibly be employed for laptop programming, internet growth, and “fame administration.” Shtazi’s web site stays in operation immediately.
A Google-translated model of Shtazi dot ru. Picture: Archive.org.
The third consequence when one searches for shtazi[.]ru in Google is an Instagram submit from a consumer named Mikhail Borisovich Shefel, who promotes Shtazi’s companies as if it had been additionally his enterprise. If this title sounds acquainted, it’s as a result of in December 2023 KrebsOnSecurity recognized Mr. Shefel as “Rescator,” the cybercriminal id tied to tens of thousands and thousands of fee playing cards that had been stolen in 2013 and 2014 from huge field retailers Goal and Residence Depot, amongst others.
How shut was the connection between GustaveDore and Mr. Shefel? The Treasury Division’s sanctions web page says Ermakov used the e-mail deal with ae.ermak@yandex.ru. A seek for this e-mail at DomainTools.com reveals it was used to register only one area title: millioner1[.]com. DomainTools additional finds {that a} cellphone quantity tied to Mr. Shefel (79856696666) was used to register two domains: millioner[.]pw, and shtazi[.]web.
The December 2023 story right here that outed Mr. Shefel as Rescator famous that Shefel just lately modified his final title to “Lenin,” and had launched a service known as Lenin[.]biz that sells bodily USSR-era Ruble notes that bear the picture of Vladimir Lenin, the founding father of the Soviet Union. The Instagram account for Mr. Shefel consists of pictures of stacked USSR-era Ruble notes, in addition to a number of hyperlinks to Shtazi.
The Instagram account of Mikhail Borisovich Shefel, aka MikeMike aka Rescator.
In a report revealed this week, Intel 471 stated investigators related Ermakov to REvil as a result of the stolen Medibank knowledge was revealed on a weblog that had one time been managed by REvil associates who carried out assaults and paid an affiliate price to the gang.
However by the point of the Medibank hack, the REvil group had largely scattered after a sequence of high-profile assaults led to the group being disrupted by legislation enforcement. In November 2021, Europol introduced it arrested seven REvil associates who collectively made greater than $230 million value of ransom calls for since 2019. On the identical time, U.S. authorities unsealed two indictments towards a pair of accused REvil cybercriminals.
“The posting of Medibank’s knowledge on that weblog, nevertheless, indicated a reference to that group, though the connection wasn’t clear on the time,” Intel 471 wrote. “This is sensible looking back, as Ermakov’s group had additionally been a REvil affiliate.”
It’s straightforward to dismiss sanctions like these as ineffective, as a result of so long as Mr. Ermakov stays in Russia he has little to worry of arrest. Nonetheless, his alleged function as an obvious high member of REvil paints a goal on him as somebody who possible possesses giant sums of cryptocurrency, stated Patrick Grey, the Australian co-host and founding father of the safety information podcast Dangerous Enterprise.
“I’ve seen just a few folks poo-poohing the sanctions…however the sanctions element is definitely much less essential than the doxing element,” Grey stated. “As a result of this man’s life simply obtained much more sophisticated. He’s in all probability going to should pay some bribes to remain out of hassle. Each single legal in Russia now is aware of he’s a susceptible 33 yr previous with an absolute ton of bitcoin. So this isn’t a cheerful time for him.”
