{
	"id": "a72fd819-ffe8-45e6-82f1-291ed4719939",
	"created_at": "2026-04-06T00:19:32.840561Z",
	"updated_at": "2026-04-10T13:11:54.046429Z",
	"deleted_at": null,
	"sha1_hash": "0fa9c495447fb815cc260a044877e3c22dab31a3",
	"title": "Russia arrests three alleged SugarLocker ransomware members",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 80408,
	"plain_text": "Russia arrests three alleged SugarLocker ransomware members\r\nBy Daryna Antoniuk\r\nPublished: 2024-02-22 · Archived: 2026-04-05 19:16:49 UTC\r\nRussian authorities have identified and arrested three alleged members of a local ransomware gang called\r\nSugarLocker.\r\nThe group operates under the guise of a legitimate tech company called Shtazi-IT, offering services for the\r\ndevelopment of landing pages, mobile apps, and online stores, according to a report by F.A.C.C.T., a Russia-based\r\ncompany that was involved in investigating the group's activities alongside authorities.\r\nF.A.C.C.T. is a spinoff of the cybersecurity firm Group-IB, which left the Russian market last year and is currently\r\nheadquartered in Singapore.\r\nThe timing of the arrest announcement is “extraordinary” as it overlapped with a massive international operation\r\nagainst the ransomware gang Lockbit, said Dmitry Smilyanets, a product management director at Recorded\r\nFuture, the parent company of The Record.\r\n“It could be coincidental or could be timed specifically to show they can also do arrests,” he said.\r\nAnother security expert, who asked not to be identified due to security concerns, also suggested that this arrest\r\ncould be a PR attempt by Russia. The suspects identified might not be under the strict operational control of the\r\ngovernment and would likely continue their operations, they said.\r\nAccording to F.A.C.C.T., the SugarLocker malware has been deployed since at least 2021 as ransomware-as-a-service, a model in which malicious tools are offered for a fee or a share of the ransom payments collected by the\r\ncriminals.\r\nFor instance, they found that SugarLocker receives 30% of its customers' profits or 10% if they exceed $5 million.\r\nThe group has mostly attacked its targets through the Remote Desktop Protocol (RDP), which allows users to\r\naccess and control a computer remotely over a network.\r\nUpon its launch, SugarLocker pledged not to attack Eastern European countries, except the Baltic States and\r\nPoland. The group does not operate a data leak site, so it's not clear who their victims are.\r\nSugarLocker affiliates purport to be motivated exclusively by financial interests in carrying out cyberattacks.\r\n“It's just a business. We absolutely do not care about you and your deals, except getting benefits,” the group’s\r\nransom note said. “If you will not cooperate with our service — for us, it does not matter. But you will lose your\r\ntime and data.”\r\nThe person who announced the malware’s launch in 2021 on the darknet forum called RAMP went by the\r\nusername \"Gustave Dore\" — a pseudonym that was also used by the Russian citizen Aleksandr Ermakov, who\r\nhttps://therecord.media/russia-arrests-sugarlocker-ransomware-members\r\nPage 1 of 3\n\nwas sanctioned by Australia, the U.K., and the U.S. in January for his alleged involvement in the 2022 attack on\r\nthe Australian health insurance provider, Medibank.\r\nErmakov is believed to be part of the infamous Russian cybercrime group REvil — one of the most active\r\nransomware gangs. F.A.C.C.T. has not officially confirmed Ermakov’s link to SugarLocker.\r\nThe security expert familiar with the group’s operation who asked not to be identified told Recorded Future News\r\nthat Aleksandr Ermakov is definitely connected to SugarLocker, but they speculated that a different hacker with\r\nthe same name could have been involved with the Medibank attack.\r\nWhen the police searched SugarLocker members' apartments earlier in January, they reportedly found laptops,\r\nmobile phones, correspondence, and other digital evidence of illegal activity.\r\nThe detained members went by the nicknames blade_runner, GustaveDore, and JimJones.\r\nThe defendants have already been charged with creating, using, and distributing malicious computer programs. If\r\nfound guilty, they could face up to four years in prison. The investigation is ongoing, according to F.A.C.C.T.\r\nResearchers said that after group members saw that SugarLocker was under investigation, one of them joked in\r\nprivate chats: “Guys, I’m going to Siberia, I definitely need to.”\r\nSiberia is associated with Russian prisons and exile due to its harsh climate and remote unpopulated areas.\r\nThe hacker’s joke, F.A.C.C.T. said, turned out to be “prophetic.”\r\nNo previous article\r\nNo new articles\r\nhttps://therecord.media/russia-arrests-sugarlocker-ransomware-members\r\nPage 2 of 3\n\nDaryna Antoniuk\r\nis a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in\r\nEastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for\r\nForbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.\r\nSource: https://therecord.media/russia-arrests-sugarlocker-ransomware-members\r\nhttps://therecord.media/russia-arrests-sugarlocker-ransomware-members\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://therecord.media/russia-arrests-sugarlocker-ransomware-members"
	],
	"report_names": [
		"russia-arrests-sugarlocker-ransomware-members"
	],
	"threat_actors": [],
	"ts_created_at": 1775434772,
	"ts_updated_at": 1775826714,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0fa9c495447fb815cc260a044877e3c22dab31a3.pdf",
		"text": "https://archive.orkl.eu/0fa9c495447fb815cc260a044877e3c22dab31a3.txt",
		"img": "https://archive.orkl.eu/0fa9c495447fb815cc260a044877e3c22dab31a3.jpg"
	}
}