In November 2021, Denis Dubnikov went on vacation to Mexico, but upon arrival at the airport, he was denied entry into the country. Instead of taking a plane to his home country, although flights were available, he was sent to Amsterdam, where he was arrested by the Dutch authorities as soon as he got off the plane. A U.S. warrant was pending against him for crimes against Cyberspace. This week, the 29-year-old Russian was extradited to the United States and appeared before a Portland court. He is accused of money laundering, from the ransoms that were collected cybercriminals With Ryuk Digital Hostage Software.

The trial of Dubnikov is scheduled for October 4. He claims to be innocent, and his lawyer in the United States described the procedure for the initial transfer of the wanted man to the Netherlands as a robbery. According to the US indictment, the 29-year-old allegedly laundered $400,000 in 2019, while the total profit from this particular ransomware is estimated to exceed $70 million. If found guilty, he faces up to 20 years in prison.

Ryuk and variants

Ryuk’s losses mostly came from targeted attacks. Those affected primarily include municipal governments and hospitals in the US, which were often paralyzed for weeks after their electronic records were encrypted. Variants of this malware have infected targets in other countries, and traces of it may have been found in Hellas.

When individuals or small businesses become victims, it is assumed that they were caught in a cyberattack by accident, not by design.

In January 2020, the hard drives of a distribution company operating in Northern Greece arrived at the data recovery company Northwind’s office in Thessaloniki. Their files were encrypted and held hostage. Unknown attackers demanded payment in cryptocurrency for their release. Although the ransom note they left appeared under a different name, the data recovery engineer Dimitris Loulis he noticed that the signature on the encrypted files and the email they used indicated someone who had dealt with Ryuk in the past. It is not known exactly how the Greek company became the victim. Such as he says “K”it is possible that this is some kind of cooperation between different groups of cyber-ransomware.

Lately, Mr. Loulis has noticed that most of the incidents they have to deal with, one or two a week, involve strikes with STOP/DJVU malwarewhich also applied to them in the past. When the victims are individuals or small businesses, they are believed to have been caught in a cyberattack by accident, not intentionally, because they clicked on the wrong link or downloaded an infected file found in their email. The characteristics of some of the victims show the extent of the problem. In the past, they have been asked to receive files from colleagues. ransomware attacks a physiotherapist in Thessaloniki, a rented room owner in Halkidiki, a lawyer in Athens and a photographer in Chania.

Multiple Incidents

In 2015, they were called to deal with just 30 ransomware incidents, in 2020 their number reached 380, and last year their number exceeded 500. For four years now, they have been members of the Europol consortium No More Ransom, on whose website (nomoreransom.org) available decryption keys are offered. It is estimated that over one billion euros in ransoms were prevented thanks to this community.

No More Ransom was created in 2016 by Europol in collaboration with the Dutch police and Kaspersky and McAfee. Today, 188 public and private sector bodies from different countries participate in this community, including the Electronic Crime Prosecutor’s Office of the Hellenic Police. There are 136 free decryption tools for 165 ransomware variants, including Gandcrab, REvil/Sodinokibi, Maze/Egregor/Sekhmet and many more.

Permanent consultations of the Authorities at the international level, as well as Prosecution of electronic crimes, is to avoid negotiating with cybercriminals and paying a ransom, since no one can guarantee that they will keep their word and release the files. Mr. Lulis has seen cases in the past where an attacker sent a decryption key, but the software was so badly written that the data was unusable. In another case, a criminal who managed to gain access to the files extorted extra money in order not to leak them to the Internet.

Losses of millions of dollars in the USA

It is impossible to estimate exactly how many victims of ransomware cyberattacks, as many companies internationally choose not to publish their cases in order not to give the impression that their electronic systems are vulnerable or that they do not have adequate security mechanisms. However, data from the latest report from the FBI’s Internet Crime Reporting Center (IC3) shows that digital hostages are still a growing threat. In 2021, IC3 received 3,729 ransomware attack complaints, of which 649 were from critical infrastructure operators. In 2020, the number of relevant complaints it registered did not exceed 2,474. Accordingly, in the past year, the estimated monetary losses from digital hostages in the United States exceeded $49.2 million, while in 2020 the corresponding amount was $29 million. In the past two years cases of digital hostages involving companies and victims have become known in our country. organs of the wider state. The most recent hit was ELTA last March.

It was preceded in January 2022 by the infection of a server hosted in the institutions of the 1st Medical District of Attica and serving the accounting and administrative system of the Sotiria and Asklipieo hospitals in Voula, resulting in problems. caused within a few days by electronic bills and administrative services. Until the network was restored, some operations had to be performed manually. In July 2021, the Municipality of Thessaloniki suffered a similar cyberattack and set up its entire network from scratch, buying new computers and clearing other terminals. In February 2021, Hellenic Defense Systems was targeted by cyber ransomware. Financial and legal records, contracts and records of correspondence were encrypted. The attack affected 150 computers. A month earlier, misleading emails were sent out until an employee allegedly clicked on an infected file.

Cities, hospitals and other critical infrastructure collapsed

How paralyzing can digital hostage effects be? In 2019, the US city of Lake City, with a population of 12,000, was attacked with Ryuk ransomware. Unidentified attackers managed to cyberblock city council minutes and other sensitive files, demanding a $460,000 ransom. The same malware hit a water company in North Carolina a year earlier. About 16 terabytes of data was encrypted, and everyday life in a small town changed dramatically. Now transactions of citizens with public services were made only in person, for cash and on handwritten receipts. There was no way to videoconference or email between city officials, a new file backup system would cost the local government $60,000 a year, and even the data recovery process proved difficult and time consuming.

The insurance company negotiated a buyout on behalf of the local authorities. After the criminals were paid, a decryption key was sent and an attempt was made to free them. However, it took about 12 hours to fully restore each terabyte. One month after cyber attack There were other data that were not published. Along the way, the priority of Ryuk ransomware targets in the United States appears to have changed, with cybercriminals primarily targeting the US national healthcare system. This malware is estimated to be behind 75% of attacks on US hospitals in 2020. Taken hostage in October 2020, a Vermont hospital took nearly a month to restore its electronic patient record system. Until he had access to the records, the medical staff tried to draw up treatment protocols for patients undergoing chemotherapy from memory. “There is too much evil in the world. Whoever orchestrated this attack knew how devastating it would be,” the nurse told the New York Times.

In February 2021, the French national cybersecurity agency ANSSI produced a 21-page report solely on the Ryuk ransomware, documenting its possible origins and characteristics. It states that the specific malware was first discovered in August 2018. Initial estimates of the perpetrators’ nationality pointed to North Korea, but this possibility was ruled out in the process. Later, he was associated with cybercriminal groups in Russia.