The U.S. government has imposed sanctions on a Russian national for allegedly laundering millions of dollars’ worth of victim ransom payments on behalf of individuals associated with the notorious Ryuk ransomware group.
According to an announcement from the U.S. Treasury’s Office of Foreign Assets Control (OFAC), Ekaterina Zhdanova, 37, is accused of utilizing virtual currency exchange transfers and fraudulent accounts to launder money for Russian elites, ransomware groups, and other malicious actors to help them evade economic sanctions imposed on Russia’s financial system following the February 2022 invasion of Ukraine.
Ryuk first emerged in 2018 and is known for its attacks targeting the U.S. public sector. In 2020, during the COVID-19 pandemic, the gang was linked to an attack on Universal Health Services, one of the largest healthcare providers in the U.S., resulting in at least $67 million in lost earnings for the healthcare giant.
OFAC alleges that Zhdanova laundered over $2.3 million of “suspected victim payments” for a Ryuk ransomware affiliate in 2021. Zhdanova allegedly funneled the illicit funds through cryptocurrency exchanges that lack anti-money laundering controls, including the Russia-based Garantex exchange, which was the subject of U.S. sanctions in 2022.
Zhdanova also utilizes conventional businesses to maintain access to the international financial system, including through a luxury watch company with global offices, as noted by OFAC. According to Chainalysis, a search of Zhdanova’s email address also reveals her current sale of a 13-room hotel in Moscow generating up to 1,000,000 rubles a month, although it’s unclear how the hotel business relates to her alleged money laundering activity.
TechCrunch attempted to contact Zhdanova via WhatsApp and Signal messages but did not receive a response.
Zhdanova is also accused of conducting virtual currency exchange transfers on behalf of oligarchs who have relocated internationally. According to OFAC, a Russian oligarch enlisted Zhdanova to move over $100 million in wealth on their behalf to the United Arab Emirates, and she also assisted similar clients in obtaining tax residency in the country, as well as identification cards and bank accounts based in Dubai.
In February, the U.S. and U.K. governments imposed sanctions on seven individuals allegedly connected to a single network behind the Conti and Ryuk ransomware variants, as well as the infamous Trickbot banking trojan. These actions followed the guilty plea of Russian citizen Denis Mihaqlovic Dubnikov, 30, in a U.S. court for laundering Ryuk ransomware funds after being extradited from the Netherlands.