grandeduc - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Russian hacker arrests linked to ransomware and exploit kit shutdowns

The Lurk group hacker arrests in Russia came at the same time as the shutdown of a major exploit kit, ransomware family and botnet, but no one is sure if it is coincidence or causation.

Law enforcement officers recently arrested 50 hackers in Russia who were publicly linked to the Lurk banking Trojan horse program. Since those hacker arrests, other malicious activity has dropped, leading to speculation over the involvement of those arrested.

Following 86 raids in 15 regions of Russia, law enforcement made the hacker arrests in early June 2016. The three primary organizers and 14 participants were arrested in the Sverdlovsk region. The early indication was the group was only connected to the Lurk Trojan, but in the week directly following the hacker arrests, the usage of the popular Angler exploit kit (EK) dropped precipitously.

Andrew Komarov, chief intelligence officer for InfoArmor Inc., in Scottsdale, Ariz., said the Lurk group may not have been behind the Angler EK, and the exploit kit may not be gone for good.

"According to our information, Lurk people were one of the biggest clients of Angler EK; that's why the owners decided to move to private operations and to stop rent for some time, as a security measure," Komarov told SearchSecurity.

Separately, researchers from FireEye Inc. found network traffic to and from the Necurs botnet -- reportedly one of the largest botnets in the world -- disappeared at the same time. The Necurs botnet was notably used to deliver the Dridex banking malware and Locky ransomware. And, just before the arrests, the surprising announcement came that the TeslaCrypt ransomware was shutting down and those behind the software released the decryption key. At the time, it was speculated this might have been done in order to avoid arrest.

None of this is conclusive evidence, but experts said the timing was suspicious. Kaspersky Lab aided law enforcement in the lead-up to the hacker arrests in Russia, and when asked about the possible connections to these malicious activities, a Kaspersky Lab spokesperson said the company "can't comment on the matter due to the ongoing investigation."

James Chappell, CTO and co-founder for Digital Shadows, based in San Francisco, said it is not publicly known why these disruptions have occurred, but the timing is interesting.

"The cybercriminal ecosystem is often a loose affiliation of actors who work together, and there are clear service-customer relationships that exist -- for example, being paid to provide coding expertise, providing traffic to someone's exploit kit landing pages for money, to act as a cash-out money mule for money, etc. So, the removal of one or more actors in these networks can have an effect on the rest of the network, and when large and surgical series of arrests are made, this can obviously have a greater impact," Chappell said. "For example, exploit kit authors and operators are rarer than, say, money mules. Arresting the rarer roles is likely to have a greater impact."

However, Chappell said it was impossible to tell what happened in this case. He said there were a few possible explanations.

"The recently announced arrests have directly impacted some critical roles with the cybercriminal ecosystem, which has impacted all of these malware/services -- for example, actors directly responsible for one critical part of each of these malwares has been arrested [or] disrupted," Chappell wrote in an email. "Some takedown activity has occurred, which has temporarily disabled critical functions of these malware/services. [Or], the arrest activity has spooked other members of the criminal community, who have ceased their activity [or] changed their activity. This would be an indirect result of the activity."

Regardless of whether or not Lurk was responsible, experts noted the effects were temporary at best. As the Angler EK usage dropped, researcher Kafeine and SANS ISC both found the Neutrino EK was on the rise. Researchers at ESET found Crysis ransomware was taking over in the areas where TeslaCrypt had been popular.

J.J. Thompson, founder and CEO of Rook Security Inc., based in Indianapolis, said hacker arrests are always a deterrent, even if the malicious activity is transferred to new actors or methods.

"People want to be free and pursue their dreams using the tools and talents they have at their disposal. The void is generally filled, but each time the individual(s) who fill the void get arrested, the cost and risk of opportunity increases," Thompson said. "At some point, the risk will outweigh the cost for highly talented individuals who will then switch to nonblack hat roles."

Chappell was less convinced of the potential positive impact of hacker arrests.

"Whether or not large-scale arrests act as a deterrent or just create a vacuum is an age-old dilemma that has been troubling senior police officers and policymakers for many years," Chappell said. "I would suggest that it has both effects, and if this truly is the end of these services, I would definitely expect to see other solutions take their place, as the incentives are likely very high-profit."

Next Steps

Learn more about a potential ransomware vaccine.

Find out how the Dridex malware returned despite DOJ arrests.

Get info on Chinese hackers arrested at the request of the U.S.

Dig Deeper on Hacker tools and techniques: Underground hacking sites