A Russian national receives a 2-year prison sentence for managing the TA551 botnet that enabled ransomware attacks on U.S. companies, resulting in over $14 million in extortion payments.
A Russian national has been sentenced to two years in prison for managing a sophisticated botnet that enabled ransomware attacks against U.S. companies, the U.S. Department of Justice announced. Ilya Angelov, 40, of Tolyatti, Russia, was also fined $100,000 for his role in operating the TA551 cybercrime group between 2017 and 2021.
The case highlights the complex ecosystem of cybercrime where botnet operators provide infrastructure for ransomware gangs to carry out devastating attacks. Angelov, who used the online aliases "milan" and "okart," co-managed the Russia-based cybercriminal group known by multiple names including ATK236, Gold Cabin, and Hive0106.
According to court documents, Angelov's group built a network of compromised computers through malware-infected files distributed via spam emails. The group then monetized this botnet by selling access to individual compromised computers to other criminal organizations. This business model has become increasingly common in the cybercrime underground, where initial access brokers provide the entry point for more sophisticated attacks.
Court records reveal the group developed specialized programs to distribute spam email and refined malware designed to bypass security tools. Angelov and his co-manager recruited members and oversaw various criminal activities, with the primary tool being a backdoor that allowed malicious software to be uploaded to victims' computers.
The attacks' main objective was to resell access to other criminal groups who then used it for ransomware extortion schemes. Between August 2018 and December 2019, TA551 provided the BitPaymer ransomware group with access to its botnet, enabling infections at 72 U.S. corporations. This collaboration resulted in more than $14.17 million in extortion payments to the ransomware operators.
Following the disruption of the BitPaymer group, the IcedID malware operators paid Angelov's group over a million dollars to acquire access to the botnet in late 2019 or early 2020. While the full extent of damage from this partnership remains unclear, it demonstrates how cybercrime operations adapt and form new alliances when existing ones are disrupted.
Technical analysis by Google-owned Mandiant in February 2021 revealed that TA551 used phishing emails containing password-protected archives to trick recipients into opening macro-enabled Microsoft Word documents. This led to the deployment of a macro downloader called MOUSEISLAND, which acted as a conduit for a secondary payload named PHOTOLOADER. PHOTOLOADER ultimately installed IcedID malware on victim systems. Both MOUSEISLAND and PHOTOLOADER have been attributed to TA551.
The collaboration between TA551 and various ransomware groups continued until approximately August 2021, according to the FBI. In November 2021, Cybereason revealed that TrickBot trojan operators were teaming up with TA551 to distribute Conti Ransomware. That same month, France's Computer Emergency Response Team (CERT-FR) disclosed that the Lockean ransomware gang was using distribution services offered by TA551 following the law enforcement takedown of the Emotet botnet at the beginning of 2021.
"Foreigner cybercriminals like this defendant target American citizens and corporations," said U.S. Attorney Jerome F. Gorgon Jr. in a statement. "Their methods grow in sophistication. But their motive remains the same – to rip-off and harm us."
The sentencing comes amid increased international cooperation to combat cybercrime. Just one day before Angelov's sentencing, the Department of Justice announced that another Russian national, 26-year-old Aleksei Olegovich Volkov (aka "chubaka.kor" and "nets"), was sentenced to nearly 7 years in prison after pleading guilty to acting as an initial access broker for Yanluowang ransomware attacks targeting eight U.S. companies between July 2021 and November 2022.
These cases demonstrate law enforcement's growing success in dismantling cybercrime networks, though experts note that the decentralized nature of these operations means new groups often emerge to replace those that are disrupted. The economic impact of ransomware continues to grow, with the FBI reporting billions in losses annually from these types of attacks.
For organizations concerned about similar threats, security experts recommend implementing multi-factor authentication, regularly patching systems, conducting security awareness training for employees, and maintaining offline backups of critical data. The human element remains a crucial vulnerability, as demonstrated by TA551's reliance on phishing emails to establish initial access.
Comments
Please log in or register to join the discussion