August 29

Silnikau: A dark legacy of ransomware and other cybercrimes

0  comments

This method was effective in 2013 because it hadn’t been seen before and because many companies and computer users were just getting started with the always-on internet. Law enforcement agencies analyzed the threat and published alerts and mitigation instructions, and soon, Silnikau’s team realized that not every victim would pay a ransom. To ensure they could monetize an infection, Silnikau added a password-stealing component that operated in the background while the splash screen was displayed. This version of Reveton could “steal passwords for a comprehensive selection of file downloaders, remote control applications, FTP, poker, chat and e-mail clients, as well as passwords stored by browsers and in protected storage.” This Technet blog details the Reveton infection chain and the password-stealing component.

Ransomware-as-a-Service

Aside from the FBI-themed extortion splash screens, Reveton is notable for being the first Ransomware-as-a-Service (RaaS) operation. You likely recall that RaaS is a business model allowing threat actors to subscribe to ransomware services developed and managed by organized providers. RaaS has made cybercrime more accessible by removing infrastructure- and skill-related barriers. Malware, phishing, DDoS, and exploits are all available in ‘Crime-as-a-Service’ models. These services are supported by Botnets-for-Hire that send phishing emails or conduct DDoS attacks. All of these resources are available as a subscription service in the cybercrime ecosystem, and they all arrived alongside or after RaaS.

Reveton was offered as a service through criminal forums and other underground communication channels. Threat actors would reply to these messages to register as affiliates. Once enrolled in the Reveton program, they were given access to the ransomware and infrastructure in exchange for a share of the ransom. The details of the payment scheme are unclear, but affiliates were getting a large share of the ransom. The RaaS business model and generous profit sharing helped Silnikau scale up Reveton operations, and it added a third method of monetization to the ransomware. 

The RaaS model has decentralized ransomware attack operations across the globe. This has complicated law enforcement efforts because so many threat actors can change locations quickly without much disruption to their operations. RaaS providers also manage negotiations and transactions with the victims on behalf of their subscribers/affiliates. This adds a layer of separation between the threat actor and the victim and may reduce the threat actor’s exposure to law enforcement.

An excellent example of this identity obfuscation can be found in the aftermath of the 2024 Change Healthcare attack. ALPHV claimed responsibility for the attack and collected the ransom. The public learned about “notchy” and his role in stealing the data after ALPHV took the full ransom and went dark. Notchy complained about this in the forums, which brought this internal conflict to the attention of researchers and security reporters. Shortly after that, human intelligence (HUMINT) sources determined there was a “high probability” that Notchy was associated with groups sponsored by the People’s Republic of China (PRC). ALPHV was a “Russian-speaking group” that appeared to have no ties to a nation-state. There’s no substantial evidence linking Notchy to the PRC, but the public probably wouldn’t have heard about Notchy or the possible PRC connection if ALPHV hadn’t gone dark.

Silnikau’s legacy

Silnikau did not build his empire alone. Business partners, subscribers, affiliates, and malware developers contributed to his operation. Some were arrested years ago, and some are expected to be arrested soon. If the evidence supports the charges, we may see these criminals put in jail for decades and hopefully prohibited from ever using the internet again. But how much does this change the threat landscape today? Silnikau was arrested over a year ago. Ransom Cartel was taken offline, and law enforcement gathered significant evidence that will hopefully lead to more prosecutions. It’s always good to capture a RaaS operator and dismantle his operation, but what does it mean to you today?

The world is covered in crime-as-a-service. Companies have lost billions of dollars to ransomware and system disruption, and almost everyone in the United States has had their credentials and sensitive data stolen multiple times. Like a comic book supervillain, Silnikau built a monster that no longer needs its creator to carry out its mission.

Silnikau’s criminal infrastructure and operations directly contributed to the growth of the cybercrime ecosystem. He pioneered RaaS as a business model and popularized malvertising as an attack surface. His success with the AEK demonstrated how to use exploits and ‘drive-by downloads’ to scale and automate attacks. His success made it possible for new threat actors to be successful. Some of them are now experienced cybercriminals controlling active ransomware groups.

Silnikau was among the first to recognize that passwords are money, and the Reveton era saw some of the most notable credential-enabled data breaches in history:

Stolen credentials have become an entire underground business since then, with threat actors specializing in different types of credentials like remote access credentials or Microsoft 365 access. Artificial intelligence (AI) has helped threat actors accelerate credential theft and has given them new ways to create large-scale attacks by combining usernames and passwords from multiple breaches.

Adding the password-stealer is an early example of a threat actor responding to improved defenses and security measures. It also made Reveton among the first to expand the monetization of a single attack. This is now the norm for cybercrime groups.

We should also consider the impact of Silnikau’s operational security. He employed advanced law enforcement evasion tactics, which continue to serve as models for other threat actors. Threat actors who have nothing to do with Silnikau are still learning from the example of his career in cybercrime.

It is likely that RaaS, malvertising, and the rest of Silnikau’s attacks would have emerged eventually through other threat actors. I can’t provide a dollar amount or an attack family tree demonstrating his direct impact on modern cybercrime, but we don’t need that anyway. All we need to do is look at the threat landscape as it is today. Silnikau’s footprints are everywhere.

Protect your business

Ransomware attacks have not stopped, and cybercriminals are getting good at using AI to accelerate and improve their attacks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) Stop Ransomware website can help you prevent ransomware attacks. You should review this site for information on emergency communications, bad practices, and proper ransomware attack response. Also, make sure you’re following the standard best practices, such as regular data backups and timely patch management.

Barracuda offers complete ransomware protection and the industry’s most comprehensive cybersecurity platform. Visit our website to see how we defend email, network, applications, and data. 


Tags


You may also like

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Get in touch

Name*
Email*
Message
0 of 350