A Russian national has been sentenced to two years in prison and fined $100,000 by the U.S. Department of Justice (DoJ) for his role in managing a sophisticated botnet used to launch ransomware attacks against American companies. Ilya Angelov, 40, identified by the online aliases “milan” and “okart,” co-managed a Russia-based cybercriminal collective known as TA551 between 2017 and 2021. This group specialized in building and monetizing networks of compromised computers, or botnets, for illicit purposes.
The DoJ detailed that Angelov’s group was instrumental in creating a network of infected computers through the distribution of malware-laden files delivered via spam emails. Angelov and his co-manager then profited by selling access to these compromised machines, commonly referred to as “bots,” to other nefarious actors. This monetization strategy served as a critical pipeline for various cybercrime operations, including widespread ransomware attacks.
Russian National Sentenced for Botnet Management Fueling Ransomware Attacks
Angelov’s involvement highlights the persistent threat posed by international cybercriminal enterprises. The group’s operational sophistication was evident in their development of specialized software for mass spam campaigns and advanced malware designed to circumvent cybersecurity defenses. Angelov and his associates were responsible for recruiting members and overseeing the group’s multifaceted activities. A key component of their toolkit was a backdoor exploitation method, enabling the deployment of malicious software onto victim systems.
The primary objective of the TA551 group’s operations was to resell access gained through their botnet to other cybercriminal organizations. These entities then leveraged this access to execute ransomware extortion schemes, causing significant financial damage to their targets. Between August 2018 and December 2019, TA551 provided critical access to its botnet to the BitPaymer ransomware group. This partnership facilitated the infection of 72 U.S. corporations, resulting in over $14.17 million in extortion payments.
Financial Motivations Behind Cybercrime Operations
Following the disruption of the BitPaymer group, the operators of the IcedID malware reportedly paid Angelov’s organization over a million dollars for access to the botnet. This collaboration, which commenced in late 2019 or early 2020, was intended to facilitate further ransomware distribution. While the full extent of the damage caused by this specific partnership remains undetermined, the U.S. Federal Bureau of Investigation (FBI) indicated that this collaboration continued until approximately August 2021.
This pattern of alliances within the cybercrime ecosystem was further evidenced in November 2021. Cybereason reported that the operators of the TrickBot trojan were collaborating with TA551 to distribute the Conti Ransomware. Concurrently, France’s Computer Emergency Response Team (CERT-FR) disclosed that the Lockean ransomware gang was utilizing the distribution services offered by TA551. This occurred in the wake of law enforcement actions that led to the takedown of the Emotet botnet at the beginning of 2021, demonstrating the adaptable and persistent nature of these criminal networks.
U.S. Attorney Jerome F. Gorgon Jr. emphasized the consistent motives of foreign cybercriminals, stating, “Foreigner cybercriminals like this defendant target American citizens and corporations. Their methods grow in sophistication. But their motive remains the same – to rip-off and harm us.” This sentencing follows closely on the heels of another DoJ announcement. Just one day prior, Aleksei Olegovich Volkov, a 26-year-old Russian national, was sentenced to nearly seven years in prison. Volkov pleaded guilty to acting as an initial access broker for Yanluowang ransomware attacks that targeted eight U.S. companies between July 2021 and November 2022.
The ongoing prosecution of individuals involved in large-scale botnet operations underscores the international efforts to dismantle cybercriminal infrastructure. The DoJ’s continued focus on prosecuting those who manage these networks suggests that further enforcement actions against financiers and operators of botnets and ransomware gangs can be anticipated. The complex web of collaborations between different cybercriminal groups also indicates that disruptions to one group can lead to shifts in alliances and strategies, warranting continued vigilance and intelligence gathering within the cybersecurity community.