Botnet Manager Sentenced to 2 Years for Ransomware Role
▼ Summary
– A Russian national was sentenced to two years in prison for managing a botnet used in ransomware attacks against 72 U.S. companies.
– He traveled to the U.S. to plead guilty after a criminal associate was arrested and following Russia’s invasion of Ukraine.
– His cybercrime group, known by names like Mario Kart and TA551, ran massive phishing campaigns that infected thousands of computers daily.
– The group sold access to infected devices to other criminals, leading to over $14 million in extortion payments from U.S. victims.
– The operation collaborated with various ransomware gangs, distributing malware like BitPaymer, Conti, and DoppelPaymer.
A Russian national has received a two-year prison sentence for his role in managing a phishing botnet that facilitated ransomware attacks against dozens of American businesses. Ilya Angelov, 40, traveled to the United States to plead guilty following the 2022 invasion of Ukraine and the arrest of a criminal associate in Switzerland. His operation, known to the FBI as Mario Kart and to cybersecurity researchers under multiple aliases including TA551 and Shathak, was a sophisticated criminal enterprise.
Angelov co-led the group, which recruited members for specialized roles such as coding malware, orchestrating spam distribution, and modifying malicious software to bypass security defenses. Prosecutors detailed a massive operation capable of sending 700,000 emails daily. When recipients opened infected attachments, their computers were covertly added to the botnet, with infections peaking at roughly 3,000 systems per day.
From 2017 to 2021, this cybercrime gang used its botnet for large-scale phishing campaigns. They then monetized their access by selling control of compromised devices to other criminals, including affiliates of Ransomware-as-a-Service (RaaS) schemes. These buyers typically executed extortion attacks, locking victims out of their networks and demanding cryptocurrency payments for restoration. The Justice Department linked one such organization to ransomware infections at over 70 U. S. companies, leading to more than $14 million in extortion payments.
While the specific BitPaymer ransomware attacks occurred between August 2018 and December 2019, Angelov’s group continued to profit. The IcedID cybercrime gang paid them an additional $1 million for botnet access from late 2019 through August 2021, though the full scope of the resulting damage remains unclear.
The group, TA551, has a history of collaboration with other major threat actors. They have partnered with the TrickBot gang, also known as Wizard Spider, in phishing campaigns that ultimately deployed Conti ransomware. Furthermore, France’s national CERT identified TA551 as a collaborator in the Lockean ransomware operation, helping affiliates deploy payloads like ProLock, Egregor, and DoppelPaymer through systems infected with the QakBot banking trojan.
In a related case this week, another Russian national, 26-year-old Aleksey Olegovich Volkov, was sentenced to nearly seven years in prison. He pleaded guilty to acting as an initial access broker (IAB) for Yanluowang ransomware attacks, highlighting the interconnected nature of these cybercriminal ecosystems.
(Source: BleepingComputer)