Russian authorities have detained a hacker named Aleksandr Ermakov, believed to be behind the notorious SugarLocker ransomware attacks, which have targeted organizations worldwide, including Australia’s Medibank. The SugarLocker member arrest comes as a large blow to the cybercriminal group responsible for the sophisticated ransomware operations.
Ermakov’s apprehension follows extensive collaboration between Russian law enforcement and cybersecurity experts FACCT. The organization develops cybersecurity tech, offers solutions for cybercrime, fraud detection, research, and IP protection in Russia. Together, they successfully identified and captured members of the SugarLocker ransomware group, disrupting their activities.
Russian Law Enforcement and SugarLocker Member Arrest
Investigators in the SugarLocker member arrest found crucial evidence pointing to the gang’s operations, including an error in the configuration of a web server hosting SugarLocker’s control panel.
This oversight inadvertently exposed the identities of the SugarLocker ransomware group, leading to their eventual arrest.
Moreover, in January 2024, three members of the SugarLocker ransomware group were apprehended by Russian law enforcement officers, aided by specialists from the FACCT company.
During the operation, authorities seized laptops, mobile phones, and digital evidence linking the suspects to illegal cyber activities. Among those detained was an individual known by aliases such as blade_runner, GistaveDore, and JimJones.
The arrested individuals have been formally charged under Article 273 of the Russian Federation’s Criminal Code for the creation, use, and distribution of malicious computer programs. An ongoing investigation seeks to uncover further details about the group’s operations and potential accomplices.
According to the press release by FACCT on February 21, 2024, the collaboration between the Russian Ministry of Internal Affairs and FACCT resulted in the dismantling of the SugarLocker ransomware group. The cybercriminals had operated under the guise of a legitimate IT company, offering services for website development and online applications.
Who is the SugarLocker Ransomware Group?
The SugarLocker ransomware, also known as Encoded01, first emerged in early 2021 but remained relatively dormant until later that year. The group gained notoriety after initiating an affiliate program on the dark web, recruiting partners to propagate their ransomware attacks. The program offered lucrative profit-sharing arrangements, enticing individuals to join their criminal enterprise.
The ransomware operated using a Ransomware-as-a-Service (RaaS) model, providing partners with the tools and infrastructure necessary to execute attacks. The group’s modus operandi involved targeting networks and exploiting vulnerabilities, with specific instructions to avoid targeting Commonwealth of Independent States (CIS) countries except for the Baltic States and Poland.
Detailed analysis of SugarLocker revealed its sophisticated encryption algorithms and customizable settings, distinguishing it from other ransomware variants. The group continuously updated their malware, indicating intentions to escalate their operations upon recruiting sufficient partners.
Despite efforts to conceal their activities, investigations by cybersecurity experts uncovered crucial details about SugarLocker’s operations. The group’s infrastructure, hosted on Russian servers, inadvertently exposed vulnerabilities that led to their eventual downfall.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.