by Mike Vogel
Updated 11 months ago
A South Florida man is one of the first in the U.S. to be arrested and sentenced for ransomware-related crimes.
As an adjunct math professor at Miami Dade College, Raymond Uadiale earned glowing reviews on a website where students rate their professors. As a student, the Nigerian immigrant did well enough in his graduate school telecom and network studies at Florida International University that his GPA placed him among the top performers in his class.
Uadiale married, had two kids and landed a job with Microsoft in Seattle as a network engineer. He and his wife bought a $390,000, three bedroom house in 2017 in Maple Valley, Wash., about an hour south of Microsoft’s Redmond headquarters.
Last March, as the family got ready to start their day, Uadiale opened the front door around 7 a.m. to find at least a half-dozen FBI agents, some with weapons drawn, one with a twohanded door ram. They had a search warrant, patted down Uadiale, and as his kids played and then left with their mother, the agents searched the house. Uadiale sat on the living room couch as agents quizzed him about where he got his money and also talked soccer and gardening. They seized four computers, Amazon devices, thumb drives, tablets and Samsung phones.
Two months later, Uadiale was indicted in Miami on charges of laundering money for a ransomware operator based in England who tapped victims for nearly $100,000.
Court and public records show that Uadiale, now 41, was born in Nigeria and immigrated to the United States. He taught math and served as a tutor at Miami Dade College off and on from 2008 until last year, according to the college. Also in 2008, he finished a master’s in telecom and networking at Florida International University, according to a university spokeswoman. He became a U.S. citizen in 2011, and by 2012 was living in a Miami Gardens apartment.
It’s not clear how, but around that time he made contact via the internet with an individual in England who identified himself online only as “K!NG.” They would chat via the internet from fall 2012 to spring 2013.
K!NG — Uadiale said he never learned the man’s real name — was Zain Qaiser, according to authorities. Qaiser at the time would have been in his teens, but he was making, according to later British press reports, “tens of thousands of pounds” off victims of ransomware.
Qaiser acquired ad space on legal porn sites and placed ads containing malware on them, British media reported. Visitors who clicked on the ads unknowingly infected their computers with a particular strain of ransomware then making the rounds called Reveton. Reveton froze computer screens, falsely displayed law enforcement logos — of the FBI and myriad other agencies in other countries — and a message informing the computer users that they had violated the law and criminal proceedings would ensue unless they paid a fee.
The frozen screen had instructions to buy a specific company’s prepaid debit card, enter the account number on the frozen screen and thus pay the ransom. Qaiser hammered hundreds of victims and got them to part with several hundred dollars apiece, federal authorities say.
He enlisted Uadiale to launder the money. The scheme was complicated, but Qaiser would move the prepaid debit card money people paid as ransom onto other prepaid debit card accounts obtained by Uadiale. Federal authorities say Uadiale then would go to ATMs and other point-of-sale locations in Miami Gardens and elsewhere and turn the cards into cash. He kept 30% for himself and forwarded 70% of the proceeds to Qaiser via a digital currency platform.
Once, Qaiser advised Uadiale they had a lot of work coming because “the main locker guy infected 100k+ USA PCs.” (Locker is slang for ransomware.) When K!NG chatted about needing to make money, Uadiale responded, “Me, too, I need money so I can get wasted on my birthday.” All told, Uadiale, according to court proceedings, sent Qaiser $93,640.
Qaiser was arrested by English authorities and charged with blackmail, fraud and computer protection law violations. On his laptop, they found digital chats between Qaiser, as K!NG, and a “Mike Roland.” One of the chats included a reference to a Yahoo email address. Federal authorities got a warrant to look into that email account, which led them to Uadiale (aka Mike Roland), which in turn led them to the warrant to search Uadiale’s Washington house and seize his technology, where they found more chats with K!NG.
In announcing the case, the U.S. Attorney’s office said Uadiale laundered the money while a student at FIU. FIU, however, says he graduated in 2008 — years before the ransomware money laundering.
His attorney, David Joffe, said Uadiale was “living the American dream out there, and this past conduct came to bite him in the rear end.”
He lost his job at Microsoft. His wife, at last report, remained in Washington to pursue a nursing degree. He was charged with a single count of conspiracy to launder money and one actual count, each carrying a 20-year term. In a plea bargain, he pleaded guilty to the conspiracy charge.
“I agree I made a mistake,” he told federal judge William P. Dimitrouleas as he pleaded guilty last year. “But the best thing is I got married. I have two young kids I’m taking care of.” At his sentencing, he was hoping for probation. “I really plead to be able to go back and support my kids,” he said. “I don’t want them to be homeless or to be — to not have their father, if I’m not there with them. … I don’t want the mistake I made in my life to ruin their own future.”
Federal prosecutor W. Joss Nichols of the Justice Department’s computer crime and intellectual property section, told the judge that given his “clear intelligence,” Uadiale should have known better but “pure greed and gluttony” motivated him. Nichols said ransomware is a top five crime his section sees, with $1 billion in victim payments a year. But it’s so hard to track down perpetrators that Uadiale’s sentencing “is one of the first, if not the first, ransomware-related sentencing that has occurred in the United States.” Nichols told the judge, “this sentence today has the opportunity to make an announcement that ransomware is a serious crime. It causes serious harm. And those who would profit — seek to profit from the proceeds of ransomware victims — face serious consequences.”
Dimitrouleas sentenced Uadiale to 18 months in prison followed by three years of supervised release. Uadiale’s attorney, Joffe, has appealed the sentence as too severe for the crime and Uadiale’s lack of a criminal history.
Lessons from the Biggest Breaches
Yahoo: 3 billion user accounts were breached in 2013, making this the largest data breach to this day. That number was not disclosed until three years later. Usernames and email addresses were stolen, but passwords were not.
- Lesson: Don’t wait three years or even three months to notify your stakeholders of a data breach.
Myspace: Names and passwords from more than 360 million Myspace accounts prior to June 2013 were compromised. This didn’t become public information until May 2016. While many people had long since gotten rid of their Myspace accounts, studies show that at least half of online users use the same password for all of their accounts.
- Lesson: Change passwords frequently and don’t use a single password for all of your accounts.
Under Armour: In February 2018, 150 million usernames, email addresses, and/or passwords were stolen from the users of MyFitnessPal — Under Armour’s food and nutrition app and website. Most of the passwords stolen were encrypted, making passwords an unintelligible assortment of characters. A news release was put out by the company regarding the issue just four days after learning of the breach.
- Lesson: Encrypt company and customer passwords whenever possible.
eBay: 145 million eBay users’ data were breached in 2014. While eBay owned up to the breach and notified users in a satisfactory amount of time, some users had difficulty renewing their passwords after the breach.
- Lesson: Make sure the system you have in place (like password renewal) to negate data breach fall-out is glitch-free.
Equifax: The personal information of 143 million consumers and the credit card information of 209,000 consumers was exposed in 2017. Equifax notified the public two months after they found out about the breach.
- Lesson: Find ways to make the situation right, like providing resources for consumers. — R. Marshall Stevens, co-owner of Stevens and Stevens Business Records Management, a storage and information management center that serves the Southeastern U.S. and has locations in St. Petersburg and Tampa
A new handbook helps combat cyber-attacks.
While data breaches against big companies get most of the attention, 58% of malware attacks actually target small businesses, according to the 2018 Verizon Data Breach Investigation Report. Also, according to the Ponemon Institute’s 2018 State of Cybersecurity in Small and Medium-Sized Businesses, 67% of small businesses experienced a cyber-attack last year.
“Small businesses are targeted by cyber-criminals precisely because they are small,” says Sri Sridharan, executive director of University of South Florida-based Cyber Florida: The Florida Center for Cybersecurity. “Criminals know these businesses don’t have the financial resources to employ state-of-the-art cyber-defenses but still trade in the same consumer data and intellectual property as larger businesses that can afford to invest more in cyber-security.”
In response, the Florida Center for Cybersecurity released a comprehensive cyber-security handbook last month written for small-business owners. Titled, Cyber Defense for SMBs, the 52-page report includes tips on protecting data, thwarting attacks and managing any attacks that get through. The report, the first of its kind from Cyber Florida, can be downloaded at cyberflorida.org/SMB. — Art Levy
Cyber-Security: A Career Path
Some 23 public universities and colleges and 12 private schools in Florida offer a total of 100 certificate, associate’s, bachelor’s and master’s programs in cyber-security and related fields such as information security and digital forensics, according to the 2017 State of Cybersecurity in Florida report from the Florida Center for Cybersecurity at the University of South Florida and from the Gartner Group. Eight public universities and five other private and public higher education institutions hold National Centers of Academic Excellence designations in cyberdefense education or research from the National Security Agency and Department of Homeland Security. Florida is well positioned to fill the demand for cyber-talent, according to the report.
13,465 — Florida cyber-security job openings, including operations and systems maintenance, systems development, threat mitigation, analysts, leadership, forensics and investigation
35,987 — Floridians employed in cyber-security
“Very Low” — CyberSeek’s rating of the supply of cyber-security workers in Florida. Florida’s healthiest ratio of openings to supply is in the career starter certification level. For the highest-level workers — managers of enterprises and designers and managers of systems — there are more openings than actual workers employed in the field in Florida.
4,273 — Number of openings in Tampa Bay, the largest number of openings in any metro in Florida
8,959 — Number of cyber-security workers in Southeast Florida, the top metro in the state for cybersecurity employment
Note: The cyber-security employee base is for 2017 and includes both specialists in cyber-security and workers that require cyber-security-related skills and certifications. CyberSeek is supported by the National Initiative for Cybersecurity Education, a program of the U.S. Department of Commerce.
Read more in our February issue.
Select from the following options:
* offer valid for new subscribers only