Bank Saint-Petersburg has refused to pay a ransom to hackers who managed to steal the account information of over 300 thousand clients. In an increasingly popular trend, the cyber criminals were willing to remain silent for 29 million rubles (~US$500,000) payable in bitcoin.

Ultimatum deadline ends

Russian publication Fontanka reported that the theft of over 300,000 bank card records occurred back in early April and the authorities have been carrying out an investigation since. It was only on July 20 that the bank received an ultimatum from the culprit(s).

The ransom ultimatum sent to one of Russia’s leading banks Bank Saint-Petersburg expired at 12:00 on July 23.

“I took 300 thousand records with bank card information of your clients,” reads the first line of the ultimatum, sent to Bank Saint-Petersburg via email.

The hackers have demanded 29 million rubles, which they will accept via Bitcoin to their publicly posted wallet address.

Additionally, the ultimatum may have contained a cryptic message behind it since it was signed under the pseudonym of famous writer Isaac Asimov. Many believe this to correlate to April 6, the first day of the attack and also the day of the writer’s death.

“The culprits obtained information containing the full name, bank account numbers tied to bank cards and the tax identification numbers,” stated Bank Saint-Petersburg. “From the amount stolen, no more than 20% of this data is active and no other information including account balances and transaction history of these clients was revealed to the criminals.”

Moreover, the hackers failed to obtain the corresponding CVC codes and expiration dates, which prevented them from using the sensitive information. This is because to perform a transaction online, the user would need to indicate the card’s validity period, the special code (CVC) on the back of the card as well as receive and confirm a one-time password, sent by the bank.

No transaction could thus take place as the hackers did not posses all of the required data in addition to the two-factor authentication security.

Bank Saint-Petersburg

Going public

Cyber crime is becoming an increasingly attractive activity for criminals and is expected to become a US$2.1 trillion industry by 2019. Among the new popular methods used by cyber criminals are data hacking, ransomware and theft of digital currency.

This time, the extortionists threatened to go public by creating a “user-friendly” website (currently offline) to publicize the information to the media and the country’s central bank.

They outline their “PR campaign” in the following excerpt from the ultimatum:

“We have prepared a website containing the obtained information. It has an easy search function so people could check if their cards are in the database, which they could download and use locally, as well leave comments on the website. The link to the website will be sent to all media outlets and bank-related online resources. Payment systems Visa and Mastercard will be notified. The Central Bank and Federal Service on Surveillance for Consumer Rights Protection will also be informed. Hashtags across social networks are also ready to be quickly distributed among clients.”

Bank Saint-Petersburg however has seemingly called the hackers’ bluff, refusing to give into the extortionists’ demands. The bank cited that the stolen information is not sufficient to cause any real damage to the bank or its clients.

 “Specialists studied the situation and determined that the data obtained by the hackers is not critical for clients and cannot be used to carry out fraudulent operations,” explained Bank Saint Petersburg. “As a result, it was decided not to block their access to this information and wait until the authorities can find evidence that would allow them to apprehend the criminals in the future.”

Furthermore, the Chairman of the Bank Saint Petersburg Supervisory board, Aleksandr Saveliev referred to the matter as “nothing bank-related” and “a distraction” while offering to replace the bank cards of any doubters for free.

“Our clients are not at risk and were never at risk. If anyone would like to receive a new card, they can do so immediately and free of charge,” said Saveliev.

Now, as the ultimatum deadline has come and gone, it remains to be seen if the hackers will, in fact, release the sensitive information or whether it was a bluff all along. One thing for certain, however, is that Bitcoin will remain the new instrument of choice for cyber criminals as it offers a convenient and pseudo-anonymous way to receive funds for criminals, no getaway vehicle required.

And while this Russian bank was able to brush off this particular incident, other banks should certainly take note, improve their defenses and perhaps stock up on some bitcoins for good measure.