Botnet operator behind $14 million in ransomware extortion payments gets 24 months behind bars

A Russian national has been sentenced to 24 months in prison after admitting he managed a botnet used to launch ransomware attacks against dozens of U.S. companies. The judge also imposed a $100,000 fine and ordered him to forfeit $1.6 million linked to the scheme.

Court records show that from 2017 to 2021, Ilya Angelov, 40, of Tolyatti, Russia, who used the aliases “milan” and “okart,” co-managed a Russia-based cybercrime group tracked by the FBI as Mario Kart. Private security researchers also refer to the group as TA-551, Shathak, GOLD CABIN, Monster Libra, ATK236, and G0127.

Angelov’s group built a botnet by distributing malware-infected files in spam email attachments, then monetized it by selling access to individual infected computers.

Using a campaign capable of sending up to 700,000 messages a day, the group spread malware worldwide, infecting users who opened malicious attachments and adding their systems to the Mario Kart botnet. At its peak, the operation infected up to 3,000 computers per day.

“This access was sold to other criminal groups, which typically engaged in ransomware extortion schemes, locking victims out of their computer networks and demanding extortion payments, commonly in cryptocurrency, to restore access,” prosecutors said.

According to the FBI, more than 70 U.S. companies were hit with ransomware by a group tied to Angelov’s operation, leading to over $14 million in extortion payments. One ransomware group paid Angelov’s group over $1 million for access to the Mario Kart botnet.

“Foreigner cybercriminals like this defendant target American citizens and corporations. Their methods grow in sophistication. But their motive remains the same — to rip-off and harm us,” said U.S. Attorney Gorgon.

An interesting detail is that Angelov voluntarily traveled to the United States to face charges and accept responsibility for his role in running the Mario Kart group.