The suspected architect of the Ransomware-as-a-service model, who called himself the “J.P. Morgan” of the underground cybercrime world, has been arrested and extradited from Poland to the U.S., where he faces multiple charges of wire fraud, identity theft and hacking.
Maksim Silnikau, a 38-year-old Belarusian and Ukrainian dual national, is believed to be the mastermind behind a vast criminal network responsible for developing and deploying some of the most damaging ransomware and exploit kits of the past decade.
The U.S. District Court for the Eastern District of Virginia and the District of New Jersey unsealed two separate indictments on Monday that revealed a plethora of cybercriminal activities connected to Silnikau. Apart from him, the District of New Jersey’s indictment charged two other individuals, Andrei Tarasov, 33, from Russia, and Volodymyr Kadaria, 38, from Belarus, as co-conspirators in Silnikau’s alleged activities.
The National Crime Agency (NCA) of the United Kingdom spearheaded the investigation, working alongside the US Secret Service (USSS), FBI, and other international partners across Poland, Ukraine, Spain, Portugal and Germany, to unearth Silnikau’s cybercrime ring and associates.
The Ransomware-as-a-Service Model Pioneer
Silnikau, who also used aliases like “xxx” and “lansky,” is accused of playing a key role in the creation of Reveton, a pioneering ransomware strain credited with introducing the Ransomware-as-a-Service (RaaS) model in 2011. RaaS simplifies ransomware attacks, allowing even low-skilled criminals to launch them for a small fee.
Reveton used scare tactics, falsely accusing victims of downloading illegal content and demanding hefty fines to regain access to their devices. Investigators estimate the scam netted the group roughly $400,000 per month from 2012 to 2014.
In the Eastern District of Virginia, Silnikau is also charged for his role as the creator and administrator of the Ransom Cartel ransomware strain. Launched in May 2021, this ransomware targeted companies in the U.S., including a New York-based company in November 2021 and another California-based firm in March 2022. The perpetrators not only encrypted data but also stole sensitive information, using it as leverage to extort their victims.
The Justice Department’s unsealed indictment revealed that Silnikau recruited participants from cybercrime forums and provided them with the tools and information needed to carry out these ransomware attacks.
The takedown of J.P. Morgan and his network represents a significant victory in the fight against cybercrime. NCA Deputy Director Paul Foster emphasized the group’s far-reaching impact, stating: “As well as causing significant reputational and financial damage, their scams led victims to suffer severe stress and anxiety. Their impact goes far beyond the attacks they launched themselves. They essentially pioneered both the exploit kit and ransomware-as-a-service models.”
Angler Exploit Kit and Scareware Dissemination
Silnikau’s network didn’t stop there. They also developed and distributed the notorious Angler Exploit Kit, a tool used in “malvertising” campaigns. The Angler Exploit Kit targeted web-based vulnerabilities in Internet browsers and associated plug-ins. These malvertising campaigns impacted over half a billion victims worldwide, the NCA confirmed.
Themodus operandi of these campaigns involved injecting malicious code into legitimate online advertisements, infecting unsuspecting users with malware – like ransomware variants Reveton, CryptXXX, CryptoWall, Ransom Cartel, etc. – upon clicking the ad. Angler, at its peak, infected an estimated 100,000 devices and generated a staggering $34 million annually.
The NCA linked British national Zain Qaiser to J.P. Morgan’s, Angler malvertising campaigns and said that the two shared profits. Qaiser was convicted on three counts of blackmail, Computer Misuse Act and money laundering offences and sentenced to six years and five months prison time in the U.K. in 2019.
The conspirators also allegedly deployed “scareware” ads that displayed hoax messages claiming the system was infected with a virus or was facing Internet troubles. The messages then attempted to deceive the victim into buying or downloading malicious software that acted as backdoor and gave remote access to the device. In some cases, infostealers were also deployed which siphoned the victims’ personal identifying or financial data.
The Intricate Web of J.P Morgan’s Operations
The investigation revealed a complex web of operations, with Silnikau’s network using various aliases and even operating physical offices in Ukraine under the name “Media Lab.” International collaboration proved crucial. The NCA shared information with Ukrainian authorities, leading to raids on Media Lab locations. Additionally, the Singapore Police Force assisted in taking down the infrastructure behind the Ransom Cartel.
Silnikau’s extradition marks a turning point for law enforcement’s ability to track down and prosecute even the most sophisticated cybercriminals operating across international borders. The investigation remains ongoing, with authorities urging anyone with relevant information to come forward.
Deputy Attorney General Lisa Monaco said this case represented a crucial step in holding cybercriminals accountable. “Today’s actions demonstrate our commitment to disrupting ransomware actors and those who use the anonymity of the internet to prey on victims worldwide,” she said.
Authorities hope that Silnikau’s extradition and the charges against his co-conspirators will serve as a deterrent to others engaged in similar activities.