A UK man involved in the distribution of the Reveton ransomware was sentenced to six years in prison today in a London court.
According to the UK's National Crime Agency, Zain Qaiser, 24, of Barking, operated by buying ads on adult websites, inserting malicious code in the ads, and redirecting victims to malicious sites.
These sites ran a version of the Angler exploit kit, which exploited vulnerabilities in visitors' browsers to infect them with malware, and more specifically with Reveton, a ransomware strain that locked users' access to their PCs with messages perpetrating to have come from various law enforcement agencies, such as the FBI.
The NCA said that Qaiser made at least $915,000 (£700,000) from Reventon ransom payments.
Proceeds made from his scheme didn't land in Qaiser's accounts directly, but were handled through a network of money mules.
The Reveton ransomware would instruct victims to purchase GreenDot MoneyPak vouchers, take the code on the voucher, and enter it in the Reveton panel that was being displayed on their PC screens.
This money would land in a MoneyPak account managed by Qaiser, who would then work with an US co-conspirator to deposit the vocheur payments into the co-conspirator's debit card.
The co-conspirator would then convert the debit card funds into Liberty Reserve digital currency and send it back to Qaiser's Liberty Reserve account.
Liberty Reserve seizure played a major role
A first breakthrough in this case came in May 2013 when authorities from 18 countries seized and shut down Liberty Reserve servers, gaining access to all the digital currency's transactions and account history.
UK authorities first arrested Qaiser in July 2014, but they had to let him go due to a lack of evidence.
However, due to the collaborative work on sifting through the vast amount of Liberty Reserve data, the needed evidence was eventually discovered, both against Qaiser and some of his co-conspirators.
The most high-profile of these co-conspirators was Raymond Odigie Uadiale, a Florida man who helped transfer money from US victims back to the UK, and who later landed a job as a software engineer for Microsoft.
Qaiser, who operated online using the monicker of "K!NG" was eventually charged in February 2017, and taken into custody in December 2018.
Qaiser also DDoSed two adult ad agencies
Besides his role in distributing the Reveton ransomware, the NCA also said that once the companies from where Qaiser was renting ad space found out what he was doing and tried to stop him, Qaiser also engaged in blackmail and DDoS attacks.
The NCA said Qaiser hit at least two adult ad agencies with DDoS attacks and told one agency director "I'll first kill your server, then send child porn spam abuses," as a threat if they didn't allow him to rent new ad space.
According to UK authorities, these companies suffered losses of over £500,000 ($655,000) while dealing with Qaiser's DDoS attacks.
Qaiser didn't stop using their services, but merely switched to using stolen identities to buy new ad space.
British investigators also said that Qaiser wasted most of his criminal proceeds on high-end hotels, prostitutes, gambling, drugs, and luxury items, despite being unemployed and living with his family.
Qaiser worked with the Lurk gang
British authorities said Qaiser didn't operate alone, but had ties to a Russian cyber-crime group, which usually hosted the now-defunct Angler exploit kit.
Qaiser's associates are believed to be the Lurk malware gang, responsible for creating the Lurk banking trojan and the Angler exploit kit.
"This was one of the most sophisticated, serious and organised cyber crime groups the National Crime Agency has ever investigated," said Nigel Leary, NCA Senior Investigating Officer. "The group owned and operated the Angler Exploit Kit - one of the most successful and closely guarded pieces of malicious software ever developed by the cyber crime community."
"Zain Qaiser was an integral part of this organised crime group generating millions of pounds in ransom payments by blackmailing countless victims and threatening them with bogus police investigations."
Related malware and cybercrime coverage:
- Cybercrime market selling full digital fingerprints of over 60,000 users
- TrickBot Trojan seeks out weak human links in business to profit from the tax season
- IoT botnet targeting your enterprise? Nope. Just a kid with an ExploitDB account
- Security researchers discover iOS version of Exodus Android spyware
- Cybercrime group FIN6 evolves from POS malware to ransomware
- Hacker group has been hijacking DNS traffic on D-Link routers for three months
- How the United Nations helps fight global cybercrime TechRepublic
- Apple removed popular app that was secretly stealing your browser history CNET