Who are the people the ransomware groups most rely on for their business model?
Most commentators fall back on the conventional view that the ransomware industry’s main protagonists are the clever but amoral hacker masterminds looking to make big bucks.
But occasionally we get a glimpse that what’s inside the criminality’s black box might be more complicated than this picture suggests. A rarely mentioned group are the financial enablers who keep the whole ransomware show working efficiently and are probably just as important as any programmer.
Take, for example, Russian national Ekaterina Zhdanova, recently sanctioned by the Department of the Treasury’s Office of Foreign Assets Control (OFAC) for allegedly helping ransomware groups receive and launder illicit funds.
It’s claimed that Zhdanova helped to launder $2.3 million in cryptocurrency ransom payments for a RYUK ransomware affiliate as part of that group’s high-profile attacks.
At the heart of this activity was Russian cryptocurrency exchange Garantex, a company located in the now notorious Federation Tower skyscrapers in Moscow believed to house other, similar laundering operations.
We covered the importance of the brash Federation Tower complex in an April 2022 blog that examined its role as a criminal hub (which is not to say that perfectly legitimate businesses don’t also use the complex).
In truth, the $2.3 million sum is a huge under-statement of the money gathered by RYUK—an early 2021 estimate put its earnings as at least $150 million at that time.
According to OFAC, her business was a sophisticated operation reaching across the globe:
“Zhdanova relies on multiple methods of value transfer to move funds internationally. This includes the use of cash and leveraging connections to other international money laundering associates and organizations,” said the press release. And there are details that are unexpected. Far from being a backstreet operation, this business was in some respects very public.
“Zhdanova also uses traditional businesses to maintain access to the international financial system, including through a luxury watch company that has offices around the world.”
Criminal Expertise Ecosystem
Skyscrapers, expensive watches, and fancy offices in far-flung places are a far cry from the idea of small town sociopath hackers in basements, but probably just as important to the ransomware industry’s success.
It seems that Zhdanova’s alleged connection to ransomware was only one part of a much larger criminal enterprise taking in several layers of financial knowhow.
The takeaway is that ransomware doesn’t exist in a vacuum and depends on an ecosystem of criminal expertise to allow it to operate. A lot of that isn’t obvious and requires connections, as well as a knowledge of the system and its weaknesses and loopholes. There’s even an argument that today’s financially integrated ransomware is an outgrowth of organized crime rather than a standalone enterprise that uses its services. That wasn’t true a decade ago but these days with a lot of money to be made the enablers and financial kingpins have muscled in to take their no doubt substantial cut.