The Federal Bureau of Investigation (FBI) has seized 39.89 Bitcoins with a current value of around $2.3 million from a Russian national alleged to be an affiliate of the REvil (Sodinokibi) and GandCrab ransomware-as-a-service (RaaS) operations.
According to a complaint that was unsealed on November 30, 2021, the funds were seized on August 3, 2021, from an Exodus wallet, which is used by individuals to store a range of different cryptocurrencies. It is unclear how the FBI gained access to that wallet.
When funds are subject to civil forfeiture, the U.S. Department of Justice is required to name any individual who could potentially make a valid claim for the funds. That individual was named as Aleksandr Sikerin, aka Alexander Sikerin and Oleksandr Sikerin, in the complaint for forfeiture.
According to Bleeping Computer, which first reported the seizure, the name enfog was included in the email address of the individual named in the complaint, which is associated with a known affiliate of the two ransomware operations – An individual with the moniker Lalartu. Security Researcher Alon Gal had previously investigated Lalartu, who had claimed in a hacking forum he had been an affiliate of the GandCrab RaaS and had switched to REvil when the operation shut down. Gal confirmed that Lalartu had previously posted on hacking forums using the monikers Protokol, Marka, and Eng_Fog, which correlates with the engfog1337[@]gmail.com email address included in the complaint. Other security researchers have also stated they believe Aleksandr Sikerin is Lalartu/Eng_Fog
Lalartu was named in a McAfee report as an affiliate of REvil and is believed to have hacked multiple companies. He has previously sold access to company networks via Exploit.in Lalartu is a specialist in the penetration testing tools Cobalt Strike and Metasploit, which are used to gain access to corporate networks. Aleksandr Sikerin was last known to be living in St. Petersburg in Russia.
Law enforcement has stepped up efforts to target ransomware gangs in following the ransomware attack on Colonial Pipeline. There have been multiple arrests by the United States and law enforcement partners around the world in recent weeks, with several arrests of RaaS affiliates and other ransomware gang associates in law enforcement operations coordinated by Interpol and Europol.
The Department of Justice announced in November 2021 that it had recently seized cryptocurrencies totaling $6 million from a different ransomware affiliate, a Russian national named Yevgeniy Polyanin. The funds are believed to be Polyanin’s payments for conducting ransomware attacks on behalf of the REvil ransomware gang. Polyanin is alleged to have conducted around 3,000 attacks worldwide.
While the seizures are significant, they represent just a tiny percentage of the ransom payments generated by the REvil ransomware gang and its predecessor GandCrab. In the two years from April 2019 to July 2021, the REvil gang is believed to have been paid more than $200 million in ransom payments.
The recent arrests and seizures demonstrate that anyone involved with ransomware attacks is a target for law enforcement and efforts will continue to bring those individuals to justice. However, since many of the affiliates live in Russia, where there is no extradition agreement with the United States, they are likely to escape justice.