FBI seizes over $2 million USD from the world’s most dangerous ransomware group

In its most recent statement, the Federal Bureau of Investigation (FBI) announced the seizure of $2.2 million USD in cryptocurrency from a well-known affiliate of the REvil and GrandCrab ransomware operations. According to the Agency’s documents, the amount is equivalent to 39.89 Bitcoin, mined from an Exodus e-wallet.

The report does not specify how access to these virtual assets was obtained, although cybersecurity experts point out that, given the characteristics of Exodus, the agents had to have had control of the secret key of this wallet forcibly. The FBI also notes that these resources are in the custody of its division in Texas.

The Agency argues that this e-wallet contained payments made by dozens of victims of the REvil ransomware, in attacks operated by an affiliate identified as Aleksandr Sikerin (also known as Oleksandr Sikerin).

Sikerin used the email address <<engfog1337@gmail.com>> for the deployment of his attacks. Based on this information shared by the FBI, several investigators concluded that the defendant acted under the alias of “Lalartu”.

As some users will recall, variants such as GrandCrab and REvil work under the ransomware-as-a-service (RaaS) model, in which a malware developer cooperates with affiliates, who are tasked with delivering the malware to potential targets and eventually collecting the rewards.

Simply put, the main operators are responsible for the development and maintenance of the malware, in addition to managing the payment portal and other tools, while the affiliates are in charge of identifying, tracking and engaging the victims.

For a couple of years the cybersecurity community reported the detection of multiple attacks responsibility of Lalartu, identified as one of the main operators of GrandCrab and REvil. After the publication of multiple reports, a group of researchers discovered the identity of Lalartu, whose names were eventually revealed.

This is the second time a similar seizure has been reported. A few weeks ago, the U.S. Department of Justice (DOJ) announced that $6 million USD in ransoms paid to the REvil ransomware gang was confiscated. It’s unclear whether the $2.2 million is part of the same operation, though experts believe the two cases are independent.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.