Darknet Diaries - Ep 44: Zain
Episode Date: August 6, 2019Ransomware is ugly. It infects your machine and locks all the the data and to unlock you have to pay a fee. In this episode we dive into some of the people behind it.SponsorsThis episode was ...sponsored by CMD. Securing Linux systems is hard, let CMD help you with that. Visit https://cmd.com/dark to get a free demo.This episode was sponsored by MyWallSt. Their app can help you find good looking stocks to invest in. Visit MyWallSt.com/dark to start your free 30 day trial.For more show notes and links check out darknetdiaries.com.
Transcript
Discussion (0)
Ransomware is a special type of malware.
It's kind of new and different compared to other malware.
While most malware is quiet, downloading silently in the background, hiding itself from the victim,
ransomware is the opposite.
The moment it installs on your system, it announces it's there in the loudest and boldest way possible.
Ransomware locks down your computer completely, rendering it unusable.
The purpose is to shout out that it has taken over your machine and until you pay a fee,
you're not getting it back. There are so many stories right now about businesses and government
departments that are getting hit with ransomware and it costs them hundreds of thousands of dollars
to fix. Russian railways got hit, banks, hospitals, governments, towns,
and the mobile phone operators got hit. Universities in China were hit, FedEx got hit in the U.S.,
Telefonica in Spain, and Renault in France. They're all infected and their data was held ransom.
But what about the everyday person? The person who has a laptop and uses it in evenings and after
work and goes on the internet to do shopping and
other stuff. What happens when we are targeted by an internet thug? The story is about exactly that.
It's a story about individual users being hit with ransomware on their own computers,
and the criminal behind it was a teenage boy in his bedroom. And there's a twist to this story,
one that gave this criminal a hook to threaten and frighten his victims into paying ransom fees.
It's an example of social engineering at its best.
Or maybe its worst.
These are true stories from the dark side of the internet.
I'm Jack Recider.
This is Darknet Diaries.
This episode is sponsored by Delete Me.
I know a bit too much about how scam callers work.
They'll use anything they can find about you online to try to get at your money.
And our personal information is all over the place online.
Phone numbers, addresses, family members, where you work, what kind of car you drive.
It's endless.
And it's not a fair fight.
But I realize I don't need to be fighting this alone anymore.
Now I use the help of Delete.me.
Delete.me is a subscription service that finds and removes personal information from hundreds of data brokers' websites.
And continuously works to keep it off.
Data brokers hate them because Delete.me makes sure your personal profile is no longer theirs to sell.
I tried it and they immediately got busy scouring the internet for my name and gave me reports on what they found.
And then they got busy deleting things.
It was great to have someone on my team when it comes to my privacy.
Take control of your data and keep your private life private by signing up for Delete Me.
Now at a special discount for Darknet Diaries listeners.
Today get 20% off your Delete Me plan when you go to joindeleteme.com slash darknetdiaries and use promo code darknet
at checkout. The only way to get 20% off is to go to joindeleteme.com slash darknetdiaries and
enter code darknet at checkout. That's joindeleteme.com slash darknetdiaries. Use code Darknet.
Support for this show comes from Black Hills Information Security.
This is a company that does penetration testing,
incident response, and active monitoring to help keep businesses secure.
I know a few people who work over there, and I can vouch they do very good work.
If you want to improve the security of your organization, give them a call.
I'm sure they can help.
But the founder of the company, John Strand, is a teacher, and he's made it a mission to make Black Hills Information Security world-class in security training. You can learn things like
penetration testing, securing the cloud, breaching the cloud, digital forensics, and so much more.
But get this, the whole thing is pay what you can. Black Hills believes that great intro security classes do not need to be expensive,
and they are trying to break down barriers to get more people into the security field.
And if you decide to pay over $195, you get six months access to the MetaCTF Cyber Range,
which is great for practicing your skills and showing them off to potential employers.
Head on over to BlackHillsInfosec.com to learn more about what services they offer and
find links to their webcasts to get some world-class training. That's blackhillsinfosec.com.
blackhillsinfosec.com.
This is a story about a guy named Zane Kaiser. The year was 2011.
Zane was 17 years old, living at home with his parents in Barking, which is in East London, UK.
At the time, he was studying computer science at City University, which is right in the middle of London.
And he spent most of his time on his MacBook Pro.
City University was one of the first in the UK to offer degree courses in computer science.
More than that, they have one of the highest rates of graduate employment. Those who complete their courses
are getting good jobs in InfoSec and going off to have great careers.
But Zane would not complete his courses or graduate or go off to have a great career.
There's a whole secret malware economy that exists in the dark parts of the internet.
You can hire a hacker or buy exploits, and you can pay for a botnet usage,
or you can buy and sell stolen data from people.
So online criminals today will often only be one part of this supply chain.
And one exploit kit found for sale on the dark web is called Angler.
Some really clever hackers made it. We think it was probably Russian made.
Here's how it works. It starts by somehow getting you to visit a malicious website. Now, websites you can visit can tell a lot about your computer. They can check what version of Flash you're
running or Java. And if you go to a website that has the Angler exploit kit running on it,
it'll do just that. It'll check what software versions you're running. It'll basically scan your computer for out-of-date software. It'll check your Adobe PDF reader version, then your Silverlight
version, then your Java version, then your Flash version. If it sees that any of these are out of
date and have a known vulnerability, it moves on to step two. We'll try to exploit that vulnerability
and gain access to your computer.
Let's dive into this for a second here.
One of the vulnerabilities the Angular Exploit Kit will use is what's called a use-after-free vulnerability.
This is where the program had some data in its memory, but it's done with it and freed it.
But somewhere in the program is still a reference to that part of the memory.
Okay, suppose you were eating popcorn with a friend watching a movie,
and you've got a bowl of popcorn on your lap, and you're sharing it with them. They take a handful,
then you take a handful, then they take a handful, then you take the last handful. The popcorn is gone. The bowl is empty. But your friend doesn't know it. They still think there's popcorn in the
bowl. So you play a little trick on them and put a bowl of spaghetti on your lap instead. And when they go to reach into the popcorn bowl,
they stick their hand in the bowl of spaghetti. This is kind of what use after free vulnerabilities
are like, sort of. Your friend was programmed to reach into the popcorn bowl thinking there
was something there, but there was nothing there. In software world, you can put some commands in that bowl, so when the software reaches for it, it executes those commands you told it to.
Kind of brilliant, huh? Okay, enough with the bad analogies. Angler is an exploit kit, meaning it
doesn't just contain one exploit, but instead it looks all over your computer for any exploit it
can use. It might have dozens of possible exploits to try. And if it finds one,
it then runs commands on your computer
that it shouldn't be able to run.
Now, this is where Angular sort of stops.
Its job is really just to get in and execute the payload.
And a payload could be anything, though.
It could be to steal user data or passwords.
It could be to tie your computer into a botnet.
Or it could be just to delete everything on the computer.
So in short, if you have outdated software on your computer into a botnet, or it could be just to delete everything on the computer. So in short, if you have outdated software on your computer and visit a website running the
Angler exploit kit set to destroy your computer, your computer will then be infected in seconds
and begin deleting files. Scary stuff. 17-year-old Zane Kayser thought this was cool though,
and thought this had potential to make him some money. The problem was, the Angler software was sort of hard to get at the time. In early 2012, Zane was
very active in chat rooms and forums using his username King, but with an exclamation point for
the I. He had an idea, and he wants to put his plan in action. Zane makes contact with the Russian
creators of Angler and tells them he has the skills and
experience to make them a lot of money. You provide the malware, he said, and I'll get it
infected on a lot of computers. Zane tells them that he's experienced in social engineering and
that he's good at manipulating people to get what he wants and he's got no problem doing it.
And he's a native English speaker and knows how the online advertising industry works. Zane suggested a split of the profits. It was a partnership pitch, and one of
the Russians were open to hearing this pitch. And so an agreement was made. Zane got started on his
plan. He got the Angler exploit kit, which is good at getting into the victim's computer, but that's
all it's good for. You still need a payload or an action once the machine is exploited.
So Zane decided to weaponize Angler with Reviton.
Reviton is a powerful ransomware that will encrypt an entire user's hard drive with a password,
and then you have to pay money to get that password to decrypt it.
This worked perfect for Zane.
Now he has a weaponized exploit kit all set up on a website waiting for
anyone to visit it to get infected. But how do you trick someone to go to your website to get
infected? His idea was to buy online ads that point people to his malicious website. And where
would he buy those ads? On porn websites. The Russians provided him with some fake identities
and documents and credentials so he could convince legitimate advertising agencies that he was just an everyday advertiser.
And this is a typical example of malvertising.
Once people click on this link, they get redirected to a malicious website,
and the computer would be infected with that Revitin ransomware that Zane equipped into Angler.
Now, if you're going to demand a ransom payment,
you need to have something your victim is willing to pay for. And sure, if you locked up someone's computer and say, pay me to unlock it,
that may work. But Zane's plan was a little more diabolical. The Revitin ransomware is sometimes
known as the police virus. And that's because when you get infected with it, it shows you a police
logo and tells you the victim has broken the law by visiting this porn site. So not only does the computer get frozen,
but all of a sudden there are words on the screen that say porn and child porn
and FBI and criminal charges and, well, you get the idea.
So for Zane to target people going to porn sites to try to get them to click on this ad
so that they could be infected with the malware was a perfect match for this ransomware.
It's sort of a brilliant combination of social engineering and hacking.
Victims of this would not only be mad, but they'd be embarrassed and ashamed and scared even. And if
you infect your family's computer or work computer, jeez, what a mess it would be to explain that you
were on a porn site when you got infected. Zane was ruthless at targeting these people, and soon
with his paid ads, hard drives began getting infected with this malware.
Zane's ransom screen would even say that the victim's IP was reported to the police.
But to make it all go away, all you have to do is pay $200 and everything is dropped.
And people started paying up. In the summer of 2012, with his agreement with the Russian crime group in place,
Zayn began his first stage, which would become a colossal ransomware scam.
There's almost no website on the internet that doesn't display some sort of advertising.
An advertising space on popular websites with large traffic is in demand,
and advertisers will pay good money to secure that advert slot.
The problem comes in when the advert placed is just
in front of malware, secretly embedded in its code. Some big-name websites have been hit with
malvertising, like the New York Times and the Atlantic. These websites have high traffic numbers,
and they didn't know anything about these scams that were going on. Zane was fully aware of
malicious advertising, malvertising, and he understood how to implement it. He acted as a legitimate
advertiser looking to purchase advertising space on some of the biggest pornography sites in the
world. He took part in real-time bidding of premium ad spaces, a constant changing market,
and the bidding process is competitive. Basically, by paying for ads, he was buying traffic to his
site, and paid traffic got fast results. Set it up, and straight away you can see more
visitors and more clicks. All Zane needed is a click on that advert, and the ball started rolling.
This knowledge was partly why Zane was of interest to the Russian crime group.
With their coding skills and his understanding of the ad market, they were onto a sure thing.
The advertising company Zane was working with knew nothing about his real intentions.
Zane laced his adverts with redirects to websites infected with malware, the Angler Exploit Kit.
Users didn't know it, but as soon as their browser hit that website,
Angler was scanning their system looking for a way to infect it.
The Angler Exploit Kit is like a sniffer dog trying to find its target.
Now, why doesn't antivirus stop this,
you might ask? Well, first of all, a lot of people don't use antivirus, so they're like sitting ducks,
especially if they don't update their software. And this is why I'm telling you, always update
your software. But second of all, the creators of Angular were really clever to avoid its detection.
It would constantly change domains and IPs to avoid any blacklist. And it would encrypt all traffic to avoid antivirus seeing malicious commands coming over.
And it would change the way it looks to avoid any matching string detection that antivirus might be looking for.
It's a rascal of a malware.
Angular didn't even need its own files to launch an attack.
It didn't even need time on the machine before it could operate.
It can spot a vulnerability, send commands to exploit it, and then conduct whatever it needs to do on that.
On top of that, the Russian coders who made it had a zero-day vulnerability in it too.
A vulnerability in Adobe Flash that Adobe didn't even know about.
It was stealthy, cunning, and very effective.
The ransomware favored by Zane and this Russian group was called Revitin. It's
been called the police virus or even the FBI virus as it pretends to be an official police notice.
Target 11 with a warning now to everyone who has a computer. A new virus is not only infecting your
computer, but the crooks behind it are also extorting money.
It's called the FBI virus, but it has nothing to do with the agency.
This is ransomware with a twist of social engineering.
It's a psychological trick, a scare tactic.
The computer was frozen and displayed an FBI logo.
And it just said, you have broken the law.
You are facing imprisonment.
We have captured images on this adult site via your webcam.
This notice has locked and frozen your computer when you are viewing a pornography website.
Embarrassment. Shame. Fear of exposure.
All emotions this malware banked on to push its users into following its instructions
and paying them money to just make it all go away.
In the ransomware, it even said the victim's internet
service provider had been notified by the cyber crimes unit. It even gives their IP address and
host name, and it says illegally downloaded material has been located on your computer,
which has broken some copyright laws. It all sounds and looks official. And then says the
user is subject to a fine of $200,000 or face imprisonment for up to three years?
Of course, if you want to avoid that, all you have to pay is this $200 fee,
and your computer will be unlocked, and all criminal proceedings against you will be stopped.
It doesn't demand too much money as a ransom fee, just enough to be worth doing,
but not too much that people wouldn't or couldn't pay for it.
Bitcoin was around then, the cryptocurrency, but it was only 2012.
So it was only like a few years since Bitcoin was created.
And while Bitcoin wasn't quite popular yet and the prices were fluctuating a lot,
people just weren't tech savvy enough to figure out how to buy Bitcoin and send it.
So the solution was Green Dot Money Pack prepaid cards. These aren't linked to a bank
account and each card comes with a unique 14 digit number. Once a card has been loaded with cash,
you can give that number to anyone and they'll have immediate access to those funds. The U.S.
is the world's biggest user of these cards. You can buy them at Walmart, CVS, Walgreens,
all sorts of big retailers and put cash onto it. It costs $6
and you can deposit up to $500 on this card. At the time, it was the ideal method for anonymous
internet criminals to accept money from their victims. The Revitin ransom screen gave the user
details instructions on how to pay their fee. Step one, take cash to one of these retail locations.
Step two, pick up a money pack and buy it with cash at the register.
Step three, come back and enter the money pack code into the code section on this message screen and then click submit.
It's that simple.
Zane's paid ads to get traffic to his site was working.
People were getting their computers locked and they were paying to have it unlocked.
Money started to come in for Zane. net exposure and was surprised by just how much stolen identity data criminals have at their disposal. From credentials to cookies to PII. Knowing what's putting you and your organization
at risk and what to remediate is critical for protecting you and your users from account
takeover, session hijacking, and ransomware. SpyCloud exists to disrupt cybercrime with a
mission to end criminals' ability to profit from stolen data.
With SpyCloud, a leader in identity threat protection, you're never in the dark about
your company's exposure from third-party breaches, successful phishes, or info-stealer infections.
Get your free Darknet Exposure Report at spycloud.com slash darknetdiaries.
The website is spycloud.com slash darknetdiaries. But the next challenge was to
get the cash and to make sure his Russian associates got their share. And it's not so
easy to move a lot of money around as a criminal and not be caught by the police. Zane would collect
the money and then use Liberty Reserve to transfer it to his
Russian associates. But he needed some help to do this. Liberty Reserve was kind of like the shady
cousin of PayPal. It's the black sheep of digital currency family and one that was favored by a lot
of cyber criminals. An account at Liberty Reserve didn't ask you for your real credentials or proof
or identity or anything in order to transfer
money. In fact, it didn't even have a full license to be operating as a funds transfer business,
something which would later catch up with its founder. Someone who wanted to launder money
quickly and privately and online knew this was a perfect setup. Zane was the distributor of the
malware and this ransom scam, but to launder the funds and get access to the money, he needed a middleman.
And that's where Raymond came in.
He's from Maple Valley in Washington.
He's 35 years old in 2012.
He was a student at Florida International University.
And his role was to cash the ransomware payments from the money-packed cards.
And then he'd convert the cash to Liberty Reserve, transfer the money to Zane, and keep a little bit for himself. The two got their routine polished pretty quickly.
Zane opens multiple accounts and prepaid cards using more fake identifications provided by his
Russian contacts, and he gives these accounts to Raymond. Raymond uses the money pack codes for
each ransom payment. He logs into his money pack account, uses the codes to transfer the ransom to
fraudulent accounts.
Now, there are limits to the number of transactions and amounts of money that can be deposited through Moneypack.
Deposits of up to $1,000 within a 24-hour period seems to have been the standard allowance.
Raymond most likely had multiple Moneypack accounts, all in fake names, so that he could avoid hitting these limits.
Once he transferred the money into the accounts that Zane gave him, he could go and withdraw the money from multiple ATMs in different
locations. Then he'd send it to Zane through Liberty Reserve. To open an account at Liberty
Reserve, it was simple as name and email address. And you need to convert your criminally obtained
cash. So you buy what they call Liberty Reserve dollars with cash and that transforms your ransom cash into digital currency
For a fee of about 5% and to buy Liberty dollars Raymond would have to go through an exchanger
Someone located in a completely different country who could purchase Liberty dollars in bulk
Liberty Reserve itself had no identification details for the people who held accounts there
They only had that name and email address that used to open the account.
All the transfers from cash to Liberty Reserve
and Liberty dollars back to cash
were done through these middleman exchanges
and technically entirely outside of Liberty Reserve itself.
All this is a complicated and technical way
just to get clean cash that doesn't have a criminal trail.
But it was working for Zane and Raymond and the Russian coders.
Zane, back in London, received about 70% of the ransom payments. That was his cut from this
operation. Pretty good. Money was rolling in nicely at this point, and the more ads he bought on those
porn sites, the more traffic he'd get to his websites, which resulted in more people being
hit with ransomware, which meant more people paying to remove it.
He was basically trading nickels for dimes.
The plan was working.
He was still a student at City University, living at home with his parents.
He didn't have any paid employment.
He didn't have any legitimate income.
But he was spending a lot of money that he was making through these scams.
He bought a 5,000 British pound watch.
He stayed in posh hotels and he partied with prostitutes.
He was using drugs and gambling a lot.
He was reported to have spent 70,000 pounds in one London casino within a 10-month time frame.
I wonder what he was telling his friends and family on where he was getting all this money from.
But the whole malware as a business supply chain is fascinating to me.
You've got one team working to create the Angler exploit,
and they're arming it with the Reviton ransomware,
which was made by a completely different group of people.
And then Zane is there deploying it to the world to infect as many people as he could.
And then when the money comes in, Raymond over in Florida
is laundering it
and sending it back to Zane.
It's impressive how many things have to go on here
for this operation to work.
Around this time, police in Spain
began receiving hundreds of complaints
of ransomware viruses.
And a bunch of other people were investigating this too.
The trend micro e-crimes unit,
the European Cybercrime Center at Europool,
the Spanish police, and Interpol all coordinated to help each other try to figure out who was
behind this. This information sharing allowed them to build up a pretty good picture of how
the gang network was structured, including how they did traffic redirection and set up their
command and control servers. Under codename Operation Ransom, a 27-year-old Russian man was arrested in December
2012 while he was on holiday apparently in Dubai. But it was discovered that he was the head of a
Spanish gang. A few months later, 10 other people were arrested during six raids in Malaga, Spain.
But this group wasn't the one Zayn was connected to. This was the group responsible for making the
Revitin ransomware. And the police tracked them down, brought their whole operation to a crumble.
Seven Russians, two Georgians, and two Ukrainians were arrested. Police were able to seize a lot of
computers and equipment and credit cards that were used in all these ransomware attacks and
for laundering the money. The police believed this gang was collecting more than 1 million euros a year.
And there were more than 1,200 reported cases of ransomware scams just in Spain since May 2011.
But while the group who created Reviton was arrested,
the Reviton software itself was in the hands of criminals like Zane to keep infecting people with it and use it.
So while this was a big success for the Spanish police to cut down on a lot of it, it didn't affect Zayn at all. Three months later, in May 2013, the U.S. government
shut down Liberty Reserve. Suspected of laundering more than six billion dollars in criminal proceeds,
it had been under investigation for a while. Its owner, Arthur Budofsky, was a shady character who'd been dodging the law for years,
and in 2011 he was told he needed the appropriate license to be running a money-transmitting
business, but when his application failed, he simply moved his business to Costa Rica.
For two years, his operations were under police investigations, with his funds being seized
multiple times, but by the end of 2013, Arthur was in custody,
along with seven of his employees,
and Liberty Reserve had been officially seized and shut down.
Today we announce charges in what may be
the largest international money laundering case
ever brought by the United States.
Specifically, we unseal charges against Liberty Reserve
and seven of its principals and employees,
who for years have operated one of the world's most widely used digital currencies.
That's Preet Bharara, the U.S. attorney for New York.
Liberty Reserve was a key part of the chain for Zane and Raymond and the Russian crime group behind them.
Without the ability to convert their ransom payments through Liberty Reserve, they were going to have a problem.
Liberty Reserve was intentionally created and structured to facilitate criminal activity.
It was essentially a black market bank.
When Liberty Reserve was taken down, everyone who had Liberty dollars in their accounts
just vanished and lost immediately.
Those Liberty dollars were gone, no longer available.
Whatever value they represented in cash had now been lost
overnight. But now that the website was in the hands of the authorities, investigators started
looking into who the users were for the site. Zane kept doing this, but it looks like this is
where Raymond's involvement came to an end. Raymond actually went on to secure a job as a network
engineer at Microsoft,
and Microsoft had no knowledge of what Raymond was up to in the previous years.
To continue, Zane simply switched to a different cryptocurrency platform, but the fall of Liberty
Reserve highlighted his name to the investigating authorities, and much of the profit side of his
scam was uncovered in the following years from Liberty Data. The authorities had
followed the strings and were piecing together exactly what Zane had been up to. As Zane
continued to buy advert space, some advertising companies began getting suspicious of him.
They would challenge him and question him. And what Zane would do in response? He tried to
manipulate and even threaten the ad agencies.
He told the director of one of the companies based in Canada,
quote,
Really, it's better if we work together.
We can make some serious money together.
It's my way or no way.
The king is back.
End quote.
When he didn't get the response he wanted,
he followed up with another threat.
Quote, I'll first kill your server,
and then I'll send child porn spam abuses to you.
End quote. Zayn then launched a revenge distributed denial of service attack on these advertising
sites that would host his ads. The purpose of the DDoS attack was to make the target's website
unavailable, essentially take it down. It overwhelmed that website and made it crash,
making it unavailable for website users and therefore customers of the company.
Zane used his methods of attack as revenge. It was simple retaliation.
You question me? You don't want to come on board with me? How dare you? I'll make you pay.
Zane was to disrupt the business of those agencies, and if he crashes the website,
paying customers can't go to them and use their website to purchase ad space. It's the core of their business. The company was losing tons of money for every second that ads weren't being served. Zayn then launched more denial of service attacks
against the websites that were questioning him. Again, these were against the advertising
companies who tried to stop what he was doing. The DDoS attacks cost these businesses at least
£500,000 in lost ads and incident response costs. One of the ad agencies getting hit with this
attack reported
Zane to the police. The police were dispatched to Zane's home and arrested him in July 2014.
But he was released a few days later with no charges because of a lack of evidence. Zane
thought he outsmarted the police, but little did he know the National Crime Agency Cybercrime Unit were now investigating him fully.
The fall of Liberty Reserve wasn't the only event across Zayn's active ransomware period that interfered with his operations.
In 2016, 86 raids in Russia arrested more than 50 individuals involved in the Lurk cyberattack in Russian banks.
Lurk was malware that mimicked the
online banking app for Russia's biggest bank, Sberbank. It's estimated the gang behind LERC
stole $45 million from Russian financial institutions in just under two years. In mid-2016,
Angler was at its peak use, estimated to be behind 40% of all exploit kit infections. By this time,
Angler was being rented out by the crime
group who owned it. Anyone willing to pay could get a version of it and use it however they wished.
And there were quite a few people using this Angler kit to conduct these ransomware attacks.
Zane wasn't the only one. This spread the kit around the globe and was being operated by
hundreds of different hackers. And the money it generated? Researchers at Cisco Talos believed
the Angler ransomware was making around $60 million a year for? Researchers at Cisco Talos believed the Angler ransomware was making
around $60 million a year for hackers. And Cisco Talos research group looked into this a little
further and found links between Angler and Lurk. And it's possible that in the crackdown of Lurk,
they also caught some of the Angler hackers too. Something that would have had an impact
on the ransomware scam Zane was spearheading from the UK.
In early 2017, the National Crime Agency in the UK had collected enough evidence from the Liberty Reserve servers to build a case against Zayn. The police once again went to Zayn's house and
arrested him. Police seized Zayn's MacBook Pro and found logs, records, and data. And this tied
him to the scam, and that he was working with the Russian creators of Angular.
Over 3,000 chat logs and almost 1 million images were stored.
The computer was encrypted and was running both Windows and macOS.
Zane had created partitions with encrypted virtual machines,
remote servers, and remote desktops.
He hid things pretty well, but this was the NCA, and it's 2017. They have a whole
digital forensics team who can comb through everything to gather evidence. Part of Zane's
downfall was copies of the control dashboard that he was using. One of the cool things about Angler
and Reviton was that it had these really cool dashboards that showed you how many infections
there were, and where the infections were, and who paid, and all that stuff. This was present on his laptop and he was able to log into it.
One screenshot showed that Zane had received $14,000 in ransom payments for just July of 2014.
Multiple financial accounts were found that linked Zane to using different cryptocurrencies
overseas and in February 2017, he was charged with blackmail, fraud, and computer misuse.
When he was questioned by the police, Zane told them that he was not involved with the scam and
he had been hacked, but the digital friend 16 was able to disprove this by collecting data on his
computer. The NCA have provided some example calculations to demonstrate just how big this operation was.
They estimate that one malware infection advert showed on 21 million web browsers each month,
with Angular being downloaded on approximately 16,000 computers.
Remember, this is one advert in one month.
From that, they estimated that 5%, so about 800 of these computers,
didn't have up-to-date antivirus, and Angular could exploit the holes in their systems and deploy the ransomware. How many individuals paid up? It's almost impossible to
know, but a few research security reports suggest that the average is 40% of business ransomware
victims do pay the ransom. So let's do some math here. The individual people who were hit by the
ransomware didn't have IT departments to turn to. They didn't have people on hand to advise them if this was a scam or real. I doubt most people told anyone. And if they did,
they'd have to say they were on a porn site when this came up, which is embarrassing. Not something
that many are going to want to admit to. So I think the percentage of individuals who paid up
in the scam is way higher than 40%. But let's go low. Let's say only 10% of the 800 users that
were hit with the Revitin ransomware screen actually paid the ransom. So that's 80 victims paying up at $200 each. That makes Zane $ and bid for advert slots. And Raymond had to be paid to launder the money and he had to pay
exchange fees and transfer fees. And of course, not all the profits went to Zayn. The Russians
would take some of the cut too. The NCA had said across the five year span of this operation,
Zayn moved at least $5 million using multiple cryptocurrency platforms and online accounts.
His personal profits, they say, were almost $900,000 by the time of his arrest in 2017.
Meanwhile, in the Southern District Courts of Florida in March 2018,
Raymond was indicted and charged with conspiracy to commit money laundering.
Raymond had been linked to the Moneypack ransom payments and transfers through Liberty Reserve,
and his online username was Mike Rowland.
He was charged that between October 2012 and March 2013, he was involved in laundering the money obtained by the Reviton ransom scam.
And it was actually a failed transfer of $840 between two Liberty Reserve accounts that gave him away.
Prosecutors estimated that in the span of one year,
Raymond moved about $93,000 collected from these ransomware payments.
Raymond went to court and was found guilty,
and the judge sentenced him to 18 months in jail with three years supervised release.
And he accepted a plea deal to have one of these charges dropped. And Microsoft
somehow unwittingly found themselves dragged into this case after they employed Raymond,
but unsurprisingly, they didn't make any official comment on this.
Zane's trial in the UK was scheduled for February 2018, but it was cancelled when Zane was sectioned
under the Mental Health Act. The details are unclear here.
Something like Zane had been put in a hospital in London for treatment.
But while there, in hospital,
digital forensics showed he was still conducting ransomware scams
and laundering money using the hospital's Wi-Fi.
So he was re-arrested again and put back in jail.
These further charges prompted a change in plea from Zane.
He now pled guilty to 11 charges in total.
Acquisition, use or possession of criminal property,
three counts of blackmail, three counts of fraud by false representation,
and four counts of unauthorized acts with intent to impair the operations of a computer
or creating risk of serious damage. On April 9th, 2019, Zane Kaysar was sentenced to six years and five months at the Kingston County Court.
The judge told him that his case and his cyberattacks were so extensive, there had not been a comparable case found.
What Zane did could be classified as a common scam going around now called sextortion.
And these are growing in popularity. They're so successful that criminals don't even need to put
ransomware on your computer. Sometimes an email is good enough. I mean, imagine if you got an email
that said, hey, I know you've been going to porn sites and I'm a hacker and I secretly recorded you
masturbating over the webcam.
Send me Bitcoin or I'm going to tell your family and boss.
Emails like this are becoming common.
I got one the other day and I traced it back to a guest blog post I wrote on a website a while back.
And it had my email address posted there.
And these scammers scraped my email off that website and sent me this email expecting me to pay money.
These emails are scary and it's hard to ask for help or know what to do.
I'm pretty sure most of them are scams, though,
and some will try to show you proof by showing you your password,
but my Darknet Diaries listeners are savvy enough to know that there are tons of breaches going on all over the world,
and your password is probably out there on the Darknet along with your email. So just having that really isn't proof of anything. And without
proof of anything that's actually embarrassing or any evidence, what are they really holding ransom?
Zing could have used his skills for good. He could have been a white hat hacker. He was obviously
very technically skilled and good at advertising. He could have defended companies against threats and hacks like this. He could have had a respectable career,
but instead he chose this route. He allowed his greed and ego to grow with him, which led him
straight to the arms of the NCA and FBI. Although he'll most likely get out of jail in three years,
he'll probably have a hard time landing a good job after that.
If Zane is released in prison in three years' time, he'll be 27 years old then. He'll have blackmail, fraud, money laundering, distribution of ransomware, and a hacker as labels that will
follow him from now on. All for a few years of free money. Was it worth it? Only Zane can answer that.
You've been listening to Darknet Diaries.
Hey, if you didn't notice by now, the show has a whole new logo, new artwork, new website, everything.
Check it out at darknetdiaries.com.
And if you head over there, you can also buy shirts and stickers, if that's your sort of thing.
And I hope that is your sort of thing.
This episode was created by me, the Zetabyte Man, Jack Recyder.
Research and writing help this episode was by Fiona Guy,
editing by the dark-haired Damien,
and the theme music was created by the trebly talented Breakmaster Cylinder. See ya.