Ukraine Sentences Two Citizens for DDoS Extortion CampaignsGroundbreaking Prosecution Targeted Attackers Who Demanded Bitcoin Payoffs
In a groundbreaking prosecution, two individuals in Ukraine have been sentenced for running distributed denial-of-service extortion attacks.
Gayk Grishkyan, 23, and Inna Yatsenko, 31, have each received a five-year suspended sentence after pleading guilty to running shakedowns that threatened victims located around the world with DDoS disruptions unless they paid attackers' ransom demands using bitcoin cryptocurrency.
Ilya Sachkov, CEO of Moscow-based cybersecurity firm Group-IB, which assisted in the investigation, confirms that the suspects did not act alone. "Grishkian and Yatsenko did have accomplices," he says. "Primarily, these are people who helped the gang. We cannot disclose any details about them."
The case marks a cybercrime justice watershed for Ukraine, Sachkov contends. "This is the first large-scale international DDoS-extortion case in Ukraine, which was solved ... and brought to court," he says.
DDoS defense firm Qrator Labs also assisted with the investigation.
The two defendants attempted to extort multiple international firms, including at least one dating site, plus online stores, electronic payment systems, currency exchange sites, as well as betting, lottery and gaming services sites, according to court documents. Firms that didn't provide bitcoin payoffs were threatened with DDoS disruptions of their websites, with the pair disrupting hundreds of websites, the documents note.
"The average ransom amount demanded by the criminals ranged from $1,000 to $10,000," Group-IB says. "However, at that time no criminal action was taken against them. Most of the victims simply paid their ransoms and did not appeal to the police. Under no circumstances should anyone pay ransom to criminals and thereby sponsor crime." (See Please Don't Pay Ransoms, FBI Urges)
Shakedown victims included U.S. data and hosting firm Stafford Associates as well as electronic payment system PayOnline, Qrator Labs says.
Another organization targeted for shakedowns was online dating site AnastasiaDate, a New York-based dating service that says it has 20 million international members.
"In autumn 2015, our systems indicated a DDoS attack on one of AnastasiaDate resources, during which Qrator filtering network blacklisted approximately 2,000 source IP addresses," Qrator Labs CEO Alexander Lyamin says in a statement.
Lyamin says the attacks didn't appear to be attempting to disrupt sites via sheer quantity of bogus traffic - such as an IP flood - but rather via a more strategic attack. "The decrease in both web application efficiency and server performance - growth of responses with latency over one second, which is a massive service degradation - indicates that most probably AnastasiaDate resources were aimed with an application layer attack, targeting a specific stress point within application architecture."
About one year later, Qrator Labs says AnastasiaDate began receiving emailed extortion demands, accompanied by DDoS attacks that peaked at almost 20 gigabits per second being launched from at least 10,000 different IP addresses. "Such attacks are generated by a botnet, with several protocols being utilized," Lyamin says, adding that at times, the attacks successfully exceeded the bandwidth allocated to AnastasiaDate by its upstream service provider, making it impossible for customers to reach the site.
Investigators Traced OPSEC Failures
Group-IB said it tied the 2015 and 2016 attacks to the same group. "Our first task was to analyze the email address used by criminals," Sachkov tells Information Security Media Group.
A username on an email address used to send ransom demands matched a customer nickname for a hosting provider. "We analyzed the information on the rented server and identified its owner," he says. "We also analyzed the bitcoin wallet used by threat actors and its transactions. Some of the transactions confirmed that the server owner and the extortionist are the same person."
Sachkov says the suspects, working independently, used a combination of stresser/booter services, botnet rentals and leased servers to launch DDoS attacks. "Initially, Grishkyan did it all by himself. Later Yatsenko began to assist Grishkyan technically when conducting attacks," he says.
"To perform attacks on various resources, criminals both bought access to stressers -specialized services for attacks - and rented botnets for DDoS attacks," Sachkov adds. "They also conducted simpler attacks using leased, dedicated servers - for example, WordPress pingback DDoS attacks."
In December 2016, AnastasiaDate, using the material gathered by Group-IB and Qrator Labs, applied to the National Police of Ukraine to investigate the case. In March 2017, police raided the suspects' homes and offices and seized multiple computing devices, including smartphones. Group-IB says that digital forensic analysis of the data on confiscated devices provided evidence that Yatsenko and Grishkyan had been involved in the 2015 and 2016 extortion attempts.
In May 2017, National Police of Ukraine based in the city of Cherkassy, first publicly confirmed the investigation.
"We are satisfied with the successful outcome of the prosecution and the blow we have struck against cybercrime in Ukraine," says Lewis Ferro, U.S.-based director of AnastasiaDate.