Russian authorities have apprehended three individuals, including Aleksandr Nenadkevichite Ermakov, on charges related to cybercrimes under Article 273 of the country’s criminal code, according to Russian cybersecurity firm FACCT. The suspects are accused of utilizing malicious code against domestic targets, operating under the guise of a legitimate IT company named Shtazi-IT, as per FACCT’s findings.
Notably, Ermakov, also known by aliases such as GustaveDore and JimJones, has been previously linked by the U.S., Australia, and the U.K. to the massive 2022 hack targeting Australia’s Medibank. However, the recent arrests in Russia do not directly relate to the Medibank incident, although one of the suspects reportedly used the aforementioned aliases.
The suspects are also allegedly associated with the ransomware-as-a-service operation known as SugarLocker, which gained prominence in 2021. Unlike many ransomware groups targeting businesses, SugarLocker affiliates primarily targeted individuals and small businesses, according to cybersecurity firm Malwarebytes.
FACCT, which contributed cybercrime intelligence to the ongoing investigation, stated that the arrests were made following cooperation with the Russian Ministry of Internal Affairs’ Bureau of Special Technical Events. Group-IB, which divested its Russian operations in April 2023 and now operates as FACCT, provided additional insights into the case.
The timing of the arrests coincides with increased scrutiny of Russian-speaking cybercrime groups, particularly in the wake of recent disruptions targeting ransomware groups like LockBit. Similar to previous incidents involving Russian cybercriminals, legal experts note that Russia’s computer laws primarily address crimes affecting Russian citizens, and extradition of Russian nationals accused of cybercrimes abroad is rare.