The Good, the Bad and the Ugly in Cybersecurity – Week 41

The Good

Former Canadian government employee, Sebastian Vachon-Desjardins, pleaded guilty this week to ransomware crimes that had earned him $21 million in Bitcoin and $500,000 in seized cash. For over 10 months, Vachon-Desjardins operated as an affiliate for Netwalker, a Russian-speaking ransomware gang that targeted organizations in more than 30 countries during the height of the COVID-19 pandemic.

Vachon-Desjardins has been sentenced to a 20-year prison term in the United States after admitting to four charges including conspiracy to commit wire fraud, conspiracy to commit computer fraud, intentional damage to a protected computer system, and sending a demand in relation to damaging a protected computer.

Netwalker affiliate

Vachon-Desjardins was one of Netwalker’s most prolific affiliates according to U.S. court filings. Netwalker’s targets included schools, hospitals, emergency services, law enforcement agencies, and businesses, all of which were on the receiving end of ransom demands in exchange for the return of their encrypted data. With as many as 400 entities affected and a collected total of $40 million in ransom payments, Vachon-Desjardins himself was found to have received a third of the proceeds.

The DOJ’s press release noted that Netwalker’s attacks specifically took advantage of the global pandemic crisis to extort victims. The U.S. District Judge who doled out the sentence went above the 12 to 15-year prison term suggested by federal guidelines with the intention of deterring cybercriminals on the whole. The Assistant Attorney General of the Justice Department explained, “Today’s sentence demonstrates that ransomware actors will face significant consequences for their crimes and exemplifies the Department’s steadfast commitment to pursuing actors who participate in ransomware schemes.”

The Bad

This week, the FBI warned of a rise in ‘pig butchering’, a scam focused on stealing increasing amounts of crypto from user accounts over an extended period of time. The FBI’s public service announcement aims to raise awareness amongst investors as more incidents are reported.

‘Pig butchering’ is still a relatively new scam but uses age-old social engineering tactics. The ‘pigs’ in this case are unsuspecting investors who are contacted by fraudsters through social media. Fraudsters then work to establish long-term relationships with these individuals either through fake friendships, the promise of romantic connections, or even going as far as impersonating a real acquaintance.

The victims are eventually convinced to invest in cryptocurrency on counterfeit platforms which are designed to show huge returns on funds. Spurred on, they’re encouraged to make more investments, thus ‘fattening up’ the size of the target. Only upon withdrawal do the investors realize they have been scammed as the fraudster ceases communication and shuts down the fake crypto exchange platform. The consequences of these scams are usually significant with the victim’s losses ranging from thousands to millions of dollars.

pig butchering

The FBI is warning investors to verify the validity of any unsolicited investment opportunity and to check that domain names in links point to legitimate financial institutions. Threat actors typically use a technique called typosquatting that relies on misspelled URLs with a slight deviation from a legitimate website address to trick victims into visiting malicious sites. Cyber criminals running ‘Get rich quick’ investment scams also commonly try to persuade victims to download malicious apps on the pretext of offering some tool needed for investing.

Caution is the first line of defense, here, and as the old adage has it, if an opportunity sounds too good to be true, it most probably is.

The Ugly

Reports have emerged this week that men eligible for enlistment in Russia began leveraging cybercrime services soon after President Vladimir Putin called for a partial mobilization of troops to fight in Ukraine. Resorting to illegal online marketplaces, many men who have not fled are soliciting falsified exemptions while those who have are reportedly turning to identity-masking tools to protect themselves from discovery.

Since the invasion in February, opportunistic scammers have taken advantage of the sociopolitical climate to exploit people who are trying to survive the war. So far, some scammers have claimed to sell forged documents on the dark web that would allow Russian men to evade the draft while others have pledged to mask their buyers’ records in enlistment office databases – all in exchange for a fee as well as the buyer’s passport. After payment is made, the scammers stop communication and likely use the stolen money and identities to perpetuate their schemes.

Cyber intelligence firm, KELA, also reported on a number of cybercrime forums claiming to provide fake documents and medical reports, as well as connecting buyers to job opportunities that would result in a postponed draft.

The call for partial mobilization has created an environment where Russian citizens are seeking illegal means to avoid the order. Underground markets and darknets are prospering as new scams surge. Cybercrime has long played off of human emotions such as fear, uncertainty, and desperation and, as the conflict in Ukraine continues, it seems cybercrime forums will continue to exploit desperate individuals living in wartime.