In August 2012, the FBI issued a warning. The Reveton ransomware, which had been discovered less than a year earlier, was causing major havoc online. The scam targeted people who visited compromised porn websites, filling their screen with a warning: “Your Computer has been locked!”
Sitting under a shonky version of the FBI logo the message warned people that their computer’s “activity” had been recorded and that illegal acts – such as downloading MP3s and movies – had been detected. People living outside the US would see a different police logo and message when they were presented with the page. The only way to regain control of the computer – pay a $1,000 fine or face imprisonment.
Seven years later, one of the masterminds behind the distribution of the Reveton ransomware has been jailed. At Kingston Crown Court in London, 24-year-old Zain Qaiser was jailed for six years and five months for his role in a sophisticated operation, which had links to a Russian cybercrime group. He had worked in partnership with the group, splitting the profits.
The scam involved creating a complex network of fake companies using false identities and buying advertising space on the world's biggest porn websites. The adverts would direct people to websites where their computers could be infected with ransomware. Plenty of people fell for the con. Police say Qaiser, who went by the online moniker of K!NG, earned at least £700,000 through his role with the group since 2012. Although it’s impossible to know precisely how much was made. Qaiser was still making money through online crime until he was taken into police custody in December last year.
He first came to the attention of UK law enforcement soon after his involvement in the scheme started. “He got in contact with a Russian speaking organised cyber group,” explains Mike Hulett, the head of operations for the National Crime Agency’s (NCA) cybercrime unit. Through online forums and chats Qaiser was able to build-up a relationship with the Russian-speaking group. “It was a match made in heaven in terms of their coding skills and his language skills and social engineering skills,” Hulett adds.
What followed was an intense multi-year police investigation that involved the NCA, FBI, US secret service, plus law enforcement bodies from across Europe. Qaiser was first arrested in 2014 but it took police and prosecutors another five years until he appeared in court to plead guilty to the charges against him. He was charged with 11 different offences including blackmail, fraud, money laundering and computer misuse.
Qaiser’s initial involvement with the group was as a user of its technologies, says Nigel Leary a senior investigator at the NCA who led the case. But, over time, he became more and more involved in its operations. Evidence gleaned from his encrypted MacBook Pro played a significant role bringing him to court, Leary says. Contained within the device was a network of separate systems created to hide the truth.
“The MacBook Pro had two operating systems installed on it,” Leary says – both Mac and Windows. “Within those partitions it was running virtual machines and those were encrypted. We also identified evidence that there were remote servers and remote desktops being used for bits of infrastructure sitting elsewhere.” Qaiser initially claimed he had been hacked, however investigators looked at the installation of the operating system, first power on of his machine and when software was installed to prove it belonged to him.
Qaiser, a computer science student, was responsible for running the advertising element of the criminal enterprise and had a detailed knowledge of how the online ad industry works. “He was au fait with real-time bidding, with how those different ads works, how much they would need to bid, how much it would be worth from a particular geography or unique IP addresses rather than repeat IDs,” Leary says.
All the advertisements the group paid for were through legitimate agencies and organisations. To be successful the ads had to be something people wanted to click on: many were promoting free webcam sites, where adult performers broadcast live videos. But when someone clicked on the ads, they were directed to sites hosting ransomware. Leary describes many of the early ads as being “ridiculous, pretty basic gifs”. But as time went on, the group started paying people to make more realistic campaigns.
Jérôme Segura, the head of threat intelligence at Malwarebytes Labs, says the advertising operations was a “clever scheme of abusing several ad networks” by posing as legitimate advertisers. “He used their platforms to buy ad space and target users with great precision and minimal cost,” Segura says. In court it was claimed Qaiser spent his profits on a £5,000 Rolex watch, £68,000 on gambling in a London casino plus high-end hotels, drugs, and prostitutes. "It has been asserted on your behalf you are remorseful. I have seen no outward expression of that," said judge Timothy Lamb QC.
At the start, the group used fake IDs and forged passports to buy advertising space. New IDs were created as frequently as once a month as the criminal gang played cat and mouse with advertising networks attempting to shut down suspect accounts. As as the networks became suspicious, the group switched to more sophisticated tactics.
At one point the group was spending $50,000 per month on advertising, according to the NCA. “Eventually they migrated to a slightly more comprehensive, complex method where they would have a front company which they would say: ‘We are our own affiliate network,’” Leary explains. Qaiser would now start running companies that masked the behaviour of supposed clients.
One such company was TrafficInside.Me. Archived versions of its website from 2014 show it claimed to offer publishers and advertisers 24/7 support.
Leary says the website was still being used by Qaiser in 2018 and there were references to it on the devices seized from him. “That’s why we made the inference this was criminal money because it’s the same front company and a bogus identity appears to be being employed to engage with advertising agencies and there are vast sums of money being generated,” Leary says.
Qaiser was charged in February 2017 but a trial for the following year was cancelled after he was sectioned under the Mental Health Act. In December 2018 he was arrested after being accused of laundering £120,000 while on bail after the Wi-Fi network of the Goodmayes hospital in north-east London was used to access advertising websites he had previously used. It was then that Qaiser pleaded guilty to the charges against him.
Investigators say the Russian cybercrime group were responsible for developing the malware that was used, while Qaiser’s specialism was within social engineering. In their attacks the group used the Angler Exploit Kit, which scanned a device for insecurities before the Reveton ransomware was deployed. “The Reveton malware relied on a sophisticated operation that used solid distribution channels with best of breed exploit kits to compromise users,” says Segura.
“Reveton did not encrypt any files on the system or delete anything and could usually be easy to recover from, either by going into safe mode and running a scan with a security tool or using a boot-up disk to do the same thing,” says Adam Kujawa, director of Malwarebyte Labs. As Bitcoin and other cryptocurrencies weren’t widely used when the attacks took place, Reveton asked for payment using MoneyPak, a cash top-up card.
Qaiser was partly identified when the Liberty Reserve digital currency service was taken down by the US government in May 2013 and data from its servers showed he was a user. An accomplice named Raymond Odigie Uadiale was jailed in August last year in connection with the scam. A copy of the indictment issued against Uadiale detailed how he helped K!NG launder money.
Investigators were able to identify more than one million images stored on Qaiser’s MacBook. In addition to more than 3,200 chat logs – which took 750 man hours to sort though – there were copies of the dashboards used to monitor and run the scam. In particular, three key control panels for software were identified by investigators.
There was one for the Angler Exploit Kit, Leary explains. This let the group check whether any antivirus software had identified the code it was using, as well as looking at infection rates. There was also a dashboard for Reveton. This allowed the group to monitor the number of infections created, the conversion of traffic to cash and details around the money that needs to be cashed out.
“Underpinning both of those is what’s called at TDS – a traffic directional distribution system,” Leary says. “That's used commonly across the advertising industry. But these guys are using it to upload their creatives, to upload their malicious JavaScript, to toggle between what they’re going to achieve with the deployment.”
All this was on top of a network of false domains, fake companies and identities, plus complex negotiations with advertising groups. “That was a full-time job,” Leary says. Qaiser also threatened advertising agencies that pushed back against his malicious adverts and launched at least two distributed denial of service (DDoS) attacks against companies, costing them £500,000. After the case concluded, the NCA said it was one of the “most sophisticated, serious and organised cyber crime groups” it had ever investigated.
Kujawa says the use of Reveton by the group, and other cybercriminals, helped to redefine the world of ransomware. “At least 50 per cent of the threats we’ve been combatting since 2013 were inspired by Reveton and it’s heavy use of social engineering or fooling the user more than trying to fool the system or steal information while hidden,” he says.
“It certainly was a move in the opposite direction, where most malware tries to be quiet and stay hidden, ransomware was loud and obvious and it’s because of this that many folks took these lock screens seriously and were terrified of them.”
This article was originally published by WIRED UK
