Levashov Walks. Russian Spam King gets slap on the wrist

The US government and the White House like to talk tough on Ransomware.  If you listen to Joe Biden, fighting Ransomware is a top priority of the US Government.  He’s spent time convincing the G7, NATO, and the EU to take pledges about how earnestly they want to fight Ransomware, a judge in Connecticut has decided that spammers who distribute Ransomware should walk free.

From 2007 until 2012, I ran a project called the UAB Spam Data Mine.  The top spammer for the first several years was Peter Levashov, who first ran the Storm Worm and then the Waledac botnet. We regularly blogged about his spam campaigns. Here’s some examples: 

15OCT2007 – “Is Your Fifth Grader Smarter Than a Laughing Cat?

17NOV2007 – “Private Detective Spam

26DEC2007 – “A Stormy Christmas and a Botnet New Year” 

16JAN2008 – “Storm Loves You!

06JUN2008 – “A Romantic June Storm

01JUL2008 – “July Storm Worm gives us some Love” 

03JUL2008 – “Storm Worm Salutes Our Nation on the 4th!

22JUL2008 – “Amero to Replace Dollar? Could Storm Worm Be Right?

29JUL2008 – “FBI & Facebook: Storm Worm gets it all wrong!

03JAN2009 – “Happy New Year! Here’s a Virus! (New Year’s Postcard Malware)

25FEB2009 – “Money Tight? Watch out for Coupon Offers from CyberCriminals” 

16MAR2009 – “Waledac: Fake Dirty Bomb in Your City

18MAR2009 – “Carders do battle through spam – carder.su” 

09APR2009 – “Is There a Conficker E? Waledac makes a move…

15APR2009 – “Waledac shifts to SMS Spy Program” 

29APR2009 – “Waledac Moving on to . . . Canadian Pharmacy?

03MAR2010 – “Spamming Botnets – Strategies welcome” 

03JUL2009 – “Are You Ready for Independence Day Fireworks? Waledac Is!

31DEC2009 – “New Year’s Waledac Card” 

In 2008, Levashov was secretly indicted for his spamming and Federal agents were deployed to Moscow to ask for Levashov.  I actually created a Google Map showing that every city in Russia had thousands of infected IP addresses that were being used to send the spam. Despite a mountain of evidence, he was protected.  He kept on spamming, but honestly, I gave up on there being any hope he would be captured.

After others tried to take down the Kelihos botnet, it re-emerged in the form of a Spam Campaign taking advantage of the Boston Marathon Bombing.  I attempted to get law enforcement interest in him again at that time. Surely a criminal who would use the Boston Marathon attack to relaunch the new version of his botnet would be worth interest.  Nothing.  I was reminded of 2009 and told “The Russians are protecting him.”

10APR2013 – “New Spam Attack accounts for 62% of our spam!

17APR2013 – “Boston Marathon explosion spam leads to Malware” 

18APR2013 – “Boston Explosion Spammer shifts to Texas Fertilizer Plant Explosion” 

TrendMicro confirmed this was Kelihos as well in their post: 

16APR2013 – “Kelihos Worm Emerges, Takes Advantage of Boston Marathon Blast” 

In 2016, we decided to try again, with the “Kelihos Must Die” task force.  We provided regular updates of the bad things Kelihos was doing.  Students in my lab, led by my friend (now) Dr. Arsh Arora, produced daily documentation of the behavior of the botnet, and we were starting to get excited that something might actually happen this time.  We believed that Kelihos was sending FOUR BILLION SPAM MESSAGES PER DAY, and took the time to prove it was delivering ransomware attacks, banking trojan attacks, and phishing attacks.  Levashov would send spam to deliver any payload you paid him to deliver.  

09JUL2016 – “Kelihos botnet delivering Dutch WildFire Ransomware

04AUG2016 – “American Airlines spam from Kelihos delivers Ransomware

12AUG2016 – “Kelihos botnet sending Panda Zeus to German and UK Banking Customers

16AUG2016 – “Kelihos botnet sending geo-targeted Desjardins Phish to Canadians

30AUG2016 – “Amazon Gift Card from Kelihos!

14SEP2016 – “Long-Lived Pill Spam from Kelihos

09NOV2016 – “Kronos Banking Trojan and Geo-Targeting from Kelihos

30NOV2016 – “NoMoreRansom aka Troldesh Ransomware Delivered by Kelihos

01FEB2017 – “Kelihos infection spreading by Thumb Drive and continues geo-targeting” 

And then on April 20, 2017, it was over!  

Spanish authorities arrested Levashov in Barcelona and he was sent to the United States to stand trial. 

After initially pleading not guilty, he changed his plea to guilty on 12SEP2018.  He admitted controlling and operating Storm, Waledac, and Kelihos, and to disseminating spam that distributed other malware, including banking trojans and ransomware.  He admitted that he actively advertised the Kelihos botnet and his ability to deliver spam and malware and that he did so in order to enrich himself.  He admitted to stealing identities and credit cards and buying and selling them.

The US Prosecutor in the case filed this Sentencing Memo as he told the Judge what the Department of Justice thought should be done in this case: 

And just to make things clear, they used the Sentencing Guidelines and included this helpful (required by law) recommendation of sentence in the Sentencing Memo to help the judge understand what the law said should be done: 

The judge decided instead that he would ignore the recommendation of the Department of Justice and that based on nothing but his own intuition, (as reported by Brian Krebs:) 

“the total offense level does overstate the seriousness of Mr. Levashov’s criminal culpability” and said he believed Levashov was unlikely to offend again.  “I believe you have a lot to offer and hope that you will do your best to be a positive and contributing member of society.” — Judge Robert Chatigny of Connecticut
And with that, a single judge in Connecticut decided that this CAREER CRIMINAL was “unlikely to offend again” and that he felt that the charges were overstated AND LET HIM GO.

So much for the government’s priority on stopping Ransomware.

The message this incompetent judge has just delivered to the criminal community is this: 

“Spam as much as you want, as long as you have a good lawyer and an incompetent judge, spam clearly doesn’t matter to the United States.” 

*** This is a Security Bloggers Network syndicated blog from CyberCrime & Doing Time authored by Gary Warner. Read the original post at: http://garwarner.blogspot.com/2021/07/levashov-walks-russian-spam-king-gets.html