The U.S. Department of Justice (DoJ) has announced that a Russian citizen, Ilya Angelov, has received a two-year prison sentence for his role in managing a botnet utilized for ransomware attacks against American businesses. In addition to incarceration, Angelov has been ordered to pay a $100,000 fine.
Angelov, aged 40 and based in Tolyatti, Russia, was known online by the aliases “milan” and “okart.” Between 2017 and 2021, he allegedly co-managed a cybercrime group identified as TA551, which has been associated with various other names including ATK236 and UNC2420. The group has gained notoriety for its sophisticated tactics in cyber-enabled crime.
The DoJ revealed that Angelov’s organization created a network of compromised computers, or botnets, by dispersing malware through malicious attachments in spam emails. This operational structure allowed Angelov and his co-manager to generate revenue by selling access to these infected machines to other cybercriminals.
According to a sentencing memorandum, TA551 developed its own programs for disseminating spam while enhancing malware to evade detection by security systems. As part of this operation, Angelov oversaw recruitment efforts and operational activities, including the use of a backdoor that facilitated the installation of additional malicious software on victims’ devices.
The primary objective of these cyberattacks was to resell access to other criminal enterprises that would subsequently conduct ransomware extortion. Between August 2018 and December 2019, TA551 reportedly enabled the BitPaymer ransomware group to compromise 72 U.S. corporations, leading to extortion payments exceeding $14.17 million.
Angelov’s group also engaged with operators of the IcedID malware, receiving over a million dollars to leverage their botnet for ransomware distribution. This collaboration is believed to have formed following the disruption of the BitPaymer group and continued until approximately August 2021, according to the FBI.
In a report by Mandiant, a Google-owned entity, it was noted that the TA551 group utilized phishing emails containing password-protected attachments to lure victims into executing macro-enabled Microsoft Word documents. This led to the deployment of a downloader known as MOUSEISLAND, which would then deliver a secondary payload, PHOTOLOADER, ultimately resulting in the installation of IcedID. Both MOUSEISLAND and PHOTOLOADER have been linked to Angelov’s group.
In addition to this case, the DoJ recently reported the sentencing of another Russian national, Aleksei Olegovich Volkov, to nearly seven years in prison for his involvement as an initial access broker for ransomware attacks targeting eight U.S. companies between July 2021 and November 2022.
As cybercriminals continue to evolve their methods, U.S. Attorney Jerome F. Gorgon Jr. emphasized that foreign actors like Angelov pose significant threats to American citizens and businesses, highlighting a continuing trend of increasing sophistication in cybercriminal tactics.