Russian-led cybergang broken by police

Group laundered more than a million euros after malware attacks demanded money from people in 30 countries

Spanish police have broken up a gang of cybercriminals whose "ransomware" virus demanded money from thousands of users in 30 countries by pretending to be a message from the police.

The 11-strong gang laundered more than a million euros per year since mid-2011, sending money back to Russia. The leader, a 27-year-old Russian, was arrested while on holiday in Dubai in the United Arab Emirates in December on an international arrest warrant. Spain is seeking his extradition. On Wednesday the rest of the group – six Russians, two Ukrainians and two Georgians – were rounded up by Spanish police in the Costa del Sol.

The arrests point to the growing cooperation between private organisations with hi-tech expertise in identifying the source of some of the commercial "malware" used to infect computers and steal data or persuade people to hand over money, and police organisations in multiple countries which have insufficient time or resources to perform that analysis themselves. The latest arrests were helped by the security company Trend Micro, but in other cases Microsoft and the security companies Symantec and F-Secure have played major roles in pointing to the locations of criminal gangs.

The "Ransomware" virus would freeze Windows PCs and then display messages on the screen claiming to be from police authorities, including Europol, which said that the user had been fined €100 for accessing file sharing, child pornography or terrorist sites. Researchers from security company Trend Micro, who were pivotal in tracking down the origin of the software, said there were 48 different variations of the virus in use.

Early versions of the software were first seen in Russia in 2005, but the gang refined it so that it would display appropriate logos for the police in which country the user's PC was being used.

Europol director Rob Wainwright – whose name was used in the scam – estimated that "hundreds of thousands" of European had been affected by the scam. "If we take into account that the average fine was €100 ($130) and 3% … paid it, then the estimated damage is millions of euros," he said.

Spanish police said in a statement that since first discovering the virus in May 2011 they had received 1,200 complaints – but that the number affected was "certainly much higher".

The 10 men arrested on Wednesday were used for the money laundering, while the 27-year-old was behind the virus's design. The money laundering system involved a system known as PaySafeCard/UKash vouchers, to which the "ransom" was paid, and which was then sent from the US to the gang in Spain, where they converted it into ready cash and wired the money to Russia.

Trend Micro said: "This coordinated activity – in much the same way as the Trend Micro/FBI action against the DNS Changer gang in 2011 – leading directly to the arrest of individuals believed to be actively engaged in cybercrime, rather than simply taking down associated infrastructure, should serve as a model for how the security industry and law enforcement can effectively cooperate int he fight against online crime."


Charles Arthur, technology editor

The GuardianTramp

Related Content

Article image
Russian ransomware attacks increased during 2021, joint review finds
Britain, the US and Australia point to growth in ‘sophisticated, high-impact ransomware incidents’

Dan Sabbagh Defence and security editor

09, Feb, 2022 @2:07 PM

Article image
'State sponsored' Russian hacker group linked to cyber attacks on neighbours
Hacker group believed to have attacked governments in Georgia, the Caucasus and eastern Europe, as well as Nato. By Tom Fox-Brewster

Tom Fox-Brewster

29, Oct, 2014 @11:59 AM

Article image
How the growing Russian ransomware threat is costing companies dear
With KP Snacks the latest cyber-attack victim, firms must learn to defend themselves against a mounting menace

Rob Davies and Dan Milmo

05, Feb, 2022 @10:00 AM

Article image
Evidence implicates government-backed hackers in Tor malware attacks
OnionDuke malware linked to MiniDuke hacker tools, which are thought to have been used to target Nato and European governments. By Tom Fox-Brewster

Tom Fox-Brewster

14, Nov, 2014 @1:30 PM

Article image
Kaspersky: security firm tries to win back trust after Russian spying scandal
New transparency initiative aims to open up software and security practices to independent auditors to prove firm’s antivirus program is safe

Alex Hern

23, Oct, 2017 @9:00 AM

Article image
US police force pay bitcoin ransom in Cryptolocker malware scam
Unprepared officials blindsided by sophisticated virus call experience 'an education'. By Samuel Gibbs

Samuel Gibbs

21, Nov, 2013 @11:34 AM

Article image
Europol launches taskforce to fight world’s most sophisticated cyber crooks
Joint Cybercrime Action Taskforce to coordinate investigations into hacking, malware and other online crimes. By Tom Brewster

Tom Brewster

01, Sep, 2014 @12:13 PM

Article image
Global police operation disrupts aggressive Cryptolocker virus
Internet users have two-week window to protect themselves, says UK's National Crime Agency after working with Europol and FBI

Tom Brewster in London and Dominic Rushe in New York

02, Jun, 2014 @3:10 PM

Article image
Russia unleashed data-wiper malware on Ukraine, say cyber experts
UK government and banks on alert for new form of electronic attack said to have affected hundreds of machines

Dan Milmo Global technology editor

24, Feb, 2022 @10:28 PM

Article image
Shadow Brokers threaten to unleash more hacking tools
Group linked to NSA cyberwarfare tools used in ransomware attack threatens to set up ‘wine of the month’-style service

Samuel Gibbs

17, May, 2017 @11:56 AM