Ryuk ransomware laundering leads to guilty plea

Ryuk, a mainstay of the ransomware scene for some years until it transformed into Conti (and then split off into other groups after that), is back in the news again… though not in the way you might have imagined.

It’s not a compromise, or a surprise comeback. What we have is a guilty plea, as a Russian citizen is the focus of a ransomware-centric money laundering story.

From shadows to spotlight

Hiding in plain sight does not seem to have gone well for “former crypto-exchange executive” Denis Mihaqlovic Dubnikov. After an arrest back in 2021 and an extradition to the US last year, he’s had some appearances in court (not to mention an assortment of other individuals tangled up in the case) accused of money laundering in relation to Ryuk attacks across the globe.

The Ryuk ransoms, paid in cryptocurrency such as Bitcoin, were split into smaller portions and then forwarded on to multiple cryptocurrency wallets and then placed into exchange accounts for other forms of currency. Eventually, the money would find its way into the hands of other people involved in the various schemes.

All of these cash daisy chains were to help evade detection by law enforcement.

From the indictment release:

The Ryuk actors used anonymous private wallets in their ransom notes, allowing them immediately to conceal the nature, location, source, ownership, and control of the ransom payments. After receiving the ransom payments, the Ryuk actors, defendants, and others involved in the scheme engaged in various financial transactions, including international financial transactions, to conceal the nature, source, location, ownership, and control of the ransom proceeds. They also used proceeds from the ransom payments to facilitate or promote the specified unlawful activities.

The ransom notes made it clear that files would be deleted after two weeks should ransoms not be paid. As you can imagine, this rather blunt threat tended to spur people quickly into paying up—in total around $150m was paid.

Big money prizes

The numbers involved in this case are rather large, to say the least. In a roughly four month span in the middle of 2019, one defendant “laundered more than $2 million in Ryuk ransom proceeds”. Another laundered more than $600 in March of that same year. These figures are typical of the figures listed next to the other as yet unnamed defendants. The biggest of all these weighs in with a tally of more than $35 million in ransom proceeds from around February 2020 to somewhere in July 2021.

It’s astonishing to think that all of this took place over a period of just three years.

Make no mistake, this was a big money operation. While we don’t know the exact details in relation to the other defendants, Bleeping Computer notes that Dubnikov could be facing anything up to 20 years in prison with a fine of up to $500,000 which doesn’t seem all that big compared to the kind of numbers the group was allegedly throwing around. Either way, we’ll know his fate come April.

How to avoid ransomware

While you likely don’t have to worry about Ryuk lurching onto your systems anytime soon, ransomware itself is a perennial problem and isn’t going away. It targets business, individuals, every industry you can think of. There are bedroom coders, professional gangs, ransomware as a service, and much more.

Whether we’re talking single, double, or even triple threat ransomware, the problem is very real.

What can we do about it?

  • Have an incident response (IR) plan. Organizations should accept the fact that a cyberattack is likely to affect them at some point, whether they’re the direct victim or part of a supply chain. An IR plan can direct your responders on what to do in the event of a cybersecurity attack. This should include restoring from backups, client outreach, and reporting to law enforcement among others.
  • Educate your staff. Awareness goes a long way, and everyone in the company has a responsibility to keep the organization’s network safe. Staff should be taught social engineering tactics and red flags of a system attack, so they can alert the right personnel quickly should an attack occur.
  • Patch as soon as you can. Many threat actors get into networks by exploiting unpatched vulnerabilities. Have a patching plan in place to ensure that your organization’s network is protected against the latest and most exploited weaknesses.
  • Backup your files. Backups have saved a lot of organizations after a ransomware attack—provided they work. When you make a plan, ensure you also have provisions for backup testing.
  • Secure your Remote Desktop Protocol (RDP). RDP remains a fantastic way for attackers to gatecrash a network without you knowing about it. Password protect it, and ensure login attempts are rate limited. Note that this may be enabled by default depending on which version of Windows is running.
  • Get an EDR solution. Malwarebytes Endpoint Detection and Response offers built-in ransomware protection, 72-hour ransomware rollback, and zero-day ransomware protection. In fact, we guarantee our Endpoint Detection and Response will stop a ransomware infection on your deployed systems, or we’ll refund your annual subscription fee. Try it here.
  • Learn more. If you want to read more about protecting your business from ransomware, take a look at our Ransomware Emergency Kit.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.