The U.S. government has sanctioned a Russian national for allegedly laundering millions of dollars’ worth of victim ransom payments on behalf of individuals linked to the notorious Ryuk ransomware group.
According to an announcement from the U.S. Treasury’s Office of Foreign Assets Control (OFAC), Ekaterina Zhdanova, 37, is accused of using virtual currency exchange transfers and fraudulent accounts to launder money for Russian elites, ransomware groups and other bad actors to help them evade economic sanctions imposed on Russia’s financial system following the February 2022 invasion of Ukraine.
Ryuk first emerged in 2018 and is known for its attacks targeting the U.S. public sector. In 2020, during the COVID-19 pandemic, the gang was linked to an attack on Universal Health Services, one of the largest healthcare providers in the U.S., costing the healthcare giant at least $67 million in lost earnings.
OFAC said Zhdanova laundered more than $2.3 million of “suspected victim payments” for a Ryuk ransomware affiliate in 2021. Zhdanova allegedly ran the illicit funds through cryptocurrency exchanges that lack anti-money laundering controls, including the Russia-based Garantex exchange, which was the subject of U.S. sanctions in 2022.
Zhdanova also uses traditional businesses to maintain access to the international financial system, including through a luxury watch company that has offices around the world, according to OFAC. As per Chainalysis, a search of Zhdanova’s email address also reveals that she is currently selling a 13-room hotel in Moscow that “generates a profit of up to 1,000,000 rubles a month,” or about $11,000 at the time of writing — though it’s unclear the hotel business relates to her alleged money laundering activity.
TechCrunch sent Zhdanova several WhatsApp and Signal messages via the phone number included on the listing, but did not hear back.
Zhdanova has also been accused of conducting virtual currency exchange transfers on behalf of oligarchs who have relocated internationally. According to OFAC, a Russian oligarch sought out Zhdanova to move over $100 million in wealth on their behalf to the United Arab Emirates, and she also helped similar clients obtain tax residency in the country, as well as identification cards and bank accounts based in Dubai.
In February, the U.S. and U.K. governments levied sanctions against seven individuals allegedly connected to a single network behind the Conti and Ryuk ransomware variants, as well as the infamous Trickbot banking trojan. The sanctions came days after Russian citizen Denis Mihaqlovic Dubnikov, 30, pleaded guilty in a U.S. court to laundering Ryuk ransomware funds following his extradition from the Netherlands.