A detailed analysis of the operation of ransomware, successful legal requisitions and open source research. Here, according to our information, is the cocktail of investigators from the cybercrime brigade (BL2C) of the Paris police headquarters to track the hacker Hamza Bendelladj. Nicknamed BX1, the latter found himself at the heart of their investigation into PyLocky, this ransomware discovered in mid-2018.
The case must now be judged this Thursday, August 31 by the Paris court. Unusual detail: the hacker, accused of having hacked and attempted to extort various French organizations – penitentiary centers, an association of notaries or a cooperative bank – will be judged by videoconference from his prison. He is currently in custody. He was sentenced in the United States in 2016 to fifteen years in prison for his involvement in the SpyEye banking Trojan. A stay in the shade which would not have prevented him, according to the prosecution, from launching new malicious campaigns.
approximately 200 lines of code
How did this famous hacker end up in the sights of the French police? Alerted by the first complaints filed in June 2018, the latter first tried to lift the hood of PyLocky. This ransomware is quite minimalist, around 200 lines of code in Python, underlines a source close to the investigation. Its infrastructure also seems sluggish, with a lot of amateurism, without a very advanced division of tasks.
Investigators are thus interested in spam campaigns, which must make it possible to spread the ransomware. The police discover very quickly, during the summer, a first clue. The server used for the spam campaigns is in France, at a small host based in Lyon. This is probably to avoid being blacklisted by anti-spam services.
Access to a copy of the server, obtained by judicial requisition, makes it possible to dissect the mechanics of sending spam messages. The investigators look in particular at the e-mail addresses corresponding to the test mailings, those which make it possible to see whether the messages pass the anti-spam filters.
Forest City
While investigating one of them, the investigators come across a certain Boualem. Surprise, he turns out after some research to be the brother of a famous hacker detained in Forrest City, in the United States! This location speaks to investigators. This city in Arkansas is already mentioned in the legal file, with IP addresses in connection with the attacks located there.
Alternate email addresses used for these tests provide investigators with more context. One, believed to be used by Boualem’s companion, is a suspicious address, already linked to one of the domain names of the Zeus botnet in a complaint filed by Microsoft in 2012.
Another also makes it possible to make the link with a domain name linked to TinyNuke, this malicious trojan horse which loads PyLocky in victims. This last program was written by a young Frenchman, Augustin, whose hunt was told by a security analyst.
Private key
Result: at the end of 2018, the police are convinced that Hamza Bendelladj is involved in this story. They will then work to substantiate this lead. They will even succeed in finding a private key on one of the seized servers. It will enable the development of decryption software, a first in France.
The rest will however be more laborious, with several years necessary to lead to a trial. On the one hand, the French are the only ones who are really interested in PyLocky. However, France does not seem to have been particularly targeted. Investigators instead assume that much of his malicious activity was mistakenly confused with Locky’s.
On the other hand, the investigation against Hamza Bendelladj then got bogged down in the maze of international cooperation. An illustration: the investigators did not finally make the trip to the United States to question BX1. A hacker who now claims his innocence. “I have nothing to do” with these computer hacks, Hamza Bendelladj defended himself last May, during his first appearance before French judges.