The U.S. Department of Justice (DoJ) said a Russian national has been sentenced to two years in prison for managing a botnet that was used to launch ransomware attacks against U.S. companies.
Ilya Angelov, 40, of Tolyatti, Russia, was also fined $100,000. Angelov, who went by the online aliases “milan” and “okart,” is said to have co-managed a Russia-based cybercriminal group known as TA551 (aka ATK236, G0127, Gold Cabin, Hive0106, Mario Kart, Monster Libra, Shathak, and UNC2420) between 2017 and 2021.
“Angelov’s group built a network of compromised computers (a ‘botnet’) through distribution of malware-infected files attached to spam emails,” the DoJ said. “Angelov and his co-manager then monetized this botnet by selling access to individual compromised computers (‘bots’).”
According to the sentencing memorandum, the threat group developed programs to distribute spam email and refined malware to bypass security tools. Angelov and his co-manager recruited members and oversaw the various activities. Chief among its tools was a backdoor through which malicious software could be uploaded to the victim’s computers.
The main goal of the attacks was to resell the access to other criminal groups, who leveraged it for ransomware extortion schemes. Between August 2018 and December 2019, TA551 provided the BitPaymer ransomware group with access to its botnet, allowing the e-crime gang to infect 72 U.S. corporations. This resulted in more than $14.17 million in extortion payments.
The operators of the IcedID malware also paid Angelov’s group over a million dollars to acquire access to the botnet in late 2019 or early 2020 and distribute ransomware, although the extent of the damage is currently not known. It’s suspected that this partnership blossomed after the disruption of the BitPaymer group. The collaboration lasted until about August 2021, per the U.S. Federal Bureau of Investigation (FBI).
Based on a report published by Google-owned Mandiant in February 2021, phishing emails containing password-protected archives tricked recipients into opening macro-enabled Microsoft Word documents, leading to the deployment of a macro downloader dubbed MOUSEISLAND. The malware acted as a conduit for a secondary payload, codenamed PHOTOLOADER, which ultimately installed IcedID. Both MOUSEISLAND and PHOTOLOADER have been attributed to TA551.
In November 2021, Cybereason revealed that the operators of the TrickBot trojan were teaming up with TA551 to distribute Conti Ransomware. That same month, France’s Computer Emergency Response Team (CERT-FR) also disclosed that the Lockean ransomware gang was using distribution services offered by TA551 following the law enforcement takedown of the Emotet botnet at the start of 2021.
“Foreigner cybercriminals like this defendant target American citizens and corporations,” U.S. Attorney Jerome F. Gorgon Jr. said in a statement. “Their methods grow in sophistication. But their motive remains the same – to rip-off and harm us.”
The development comes a day after the DoJ announced that another Russian national, a 26-year-old Aleksei Olegovich Volkov (aka “chubaka.kor” and “nets”), was sentenced to nearly 7 years in prison after pleading guilty to acting as an initial access broker (IAB) for Yanluowang ransomware attacks targeting eight companies in the U.S. between July 2021 and November 2022.
