The Department of Justice has charged two Russian nationals with allegedly operating a cybercrime group that used ransomware to attack hundreds of U.S. entities, making over $16 million in the process.
Roman Berezhnoy, 33, and Egor Nikolaevich Glebov, 39, allegedly used ransomware software called Phobos to hack victim computer networks, copy and steal files and programs, then encrypt the original data, according to a news release from the DOJ. Once the original data was encrypted, the men and others involved in the scheme would allegedly extort the victims for ransom payments in exchange for keys that would allow the victims to access the data again.
The men also allegedly threatened to expose stolen files, and allegedly operated a site on the dark web where stolen data was published. Victims of the scheme included a children’s hospital, health care providers, and educational institutions, the Justice Department said. Victims lost data and money.
Berezhnoy and Glebov were arrested Monday. Charges were announced Tuesday.
Each has been charged with one count of wire fraud conspiracy, one count of wire fraud, one count of conspiracy to commit computer fraud and abuse, three counts of causing intentional damage to protected computers, three counts of extortion in relation to damage to a protected computer, one count of transmitting a threat to impair the confidentiality of stolen data, and one count of unauthorized access and obtaining information from a protected computer.
If convicted, each wire fraud-related charge carries a maximum penalty of 20 years in prison. Each computer damage count has a maximum penalty of 10 years. The remaining counts each have a maximum penalty of five years.
The arrests come as international authorities announced a number of actions against cybercriminals. Recently, Russian national Evgenii Ptitsyn was arrested and extradited on charges related to his alleged administration of Phobos ransomware. European and German authorities also announced an operation involving the FBI and other law enforcement partners that had disrupted over 100 servers associated with the criminal network Berezhnoy and Glebov were a part of, the Department of Justice said.
On Tuesday, the U.S., Australia and the United Kingdom sanctioned Zservers, a Russian-based hosting services provider that supports ransomware attacks made by a group called LockBit. The group uses software, also called LockBit, for similar data extortion attacks as those alleged by Berezhnoy and Glebov.
“Ransomware actors and other cybercriminals rely on third-party network service providers like Zservers to enable their attacks on U.S. and international critical infrastructure,” said Acting Under Secretary of the Treasury for Terrorism and Financial Intelligence Bradley T. Smith said in a news release announcing the sanctions. “Today’s trilateral action with Australia and the United Kingdom underscores our collective resolve to disrupt all aspects of this criminal ecosystem, wherever located, to protect our national security.”
