A0 IOG (Rev. 04/10] Application for a Search Warrant UNITED STATES DISTRICT COURT for the District ofAlaska in the Matter of the Search of (Brie describe the propern? to be searched 0r ident?v the person by name and address) Case No. INFORMATION ASSOCLATED WITH service@provendatarecovery.com and service@provendata.com THAT IS STORED AT PREMISES CONTROLLED BY Liquid Web, Inc. APPLICATION FOR A SEARCH WARRANT I, a federal law enforcement officer or an attorney for the government, request a search warrant and state under penalty of perjury that have reason to believe that on the 'l'ollowmg person or property the person or describe the property to be searched and give its mention): See Attachment A, incorporated here by reference. located in the District of ALASKA there is now concealed rile person or describe the propertv to be seized): See Attachment B, incorporated here by reference. The basis for the search under Fed. R. Ct?im. P. is (check one orninre): [Efevidence ofa crime; Rf contraband, fruits of crime, or other items illegally possessed; all property designed for use, intended For use, or used in committing a crime; Cl a person to be arrested or a person who is unlawfully restrained- The search is related to a violation of: Code Section Oj?mse Description 18 USC 1030, 1343, and Fraud and related activity in connection with computers, wire fraud, and illegal 2511. wiretapping. The application is based on these facts: See attached Af?davit in Support of Search Warrant. Continued on the attached sheet. CI Delayed notice of days (give exact ending date if more than 30 days: is requested under 18 U.S.C. 31033, the basis oil which is set forth on the attached sheet. Signtaure Redacted .) Jayanth Swamidass, Special Agent, FBI Printer! name and Sworn to before me and signed in my presence. is." Kevin F. McCoy United States Magistrate Judge S'g ature Redacted Date: l?q?TF 201? in sludges signature . City and state: Anchorage, Alaska Magistrate JUAQQKBEUIF. MCCOY - . .. . mnnevnid title . Case Document 1 Filed 01/05/1'8'5'Page 1, cit-16 IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OFALASKA IN THE MATTER OF THE SEARCH OF INFORMATION ASSOCIATED WITH serviceQDprovendatareeovervcom and Case No. service@pr0vendata.com THAT IS STORED AT PREMISES CONTROLLED BY Liquid Filed Under Seal Web. Inc. AFFADAVIT IN SUPPORT OF AN APPLICATION FOR A SEARCH WARRANT I, Jayanth Swamidass, being first duly sworn, hereby depose and state as follows: INTRODUCTION AND AGENT BACKGROUND 1. I make this affidavit in support of an application for a search warrant for information associated with certain accounts that are stored at premises controlled by Liquid Web, Inc., an email provider headquartered at 2703 Ena Drive, East Lansing, Michigan 48917. The information to be searched is described in the following paragraphs and in Attachment A. This af?davit is made in support of an application for a search warrant under 18 U.S.C. 2703(a), 2703(b)(1)(A) and 2703(c)( to require Liquid Web, Inc. to disclose to the govemment copies of the information (including the content of communications) further described in Section I of Attachment B. Upon receipt ofthe information described in Section I of Attachment B, governinent?authorized persons will review that information to locate the items described in Section II of Attachment B. 2. I am a Special Agent with the FBI, and have been since October 2015. I am currently assigned to the Anchorage, Alaska Division ofthc FBI, and to a squad responsible for investigating national security and criminal cyber threats and intrusions. Among other duties, my squad specializes in the investigation of computer and high?technology crimes, including 5 20:3 3: Case Document 1 Filed 01/05/18 Page 2 oi 16 computer intrusions, denial of service attacks, and other types of malicious computer activity. Prior tojoining the FBI, I was employed as a global trade consultant with a multinational professional services ?rm, where I advised large corporate clients on international trade regulatory matters. I hold a Juris Doctor degree and am a member of the California State Bar. As a federal agent, I am authorized to investigate violations ofthe laws of the United States and am a law enforcement officer with authority to execute federal search warrants. I have sewed several search warrants, and have seized evidence ofcriminal violations. 3. This affidavit is intended to show merely that there is sufficient probable cause for the requested warrant and does not set forth all of my knowledge about this matter. 4. Based on my training and experience and the facts as set forth in this affidavit, there is probable cause to believe that violations of 18 U.S.C. 371 (conspiracy), 18 U.S.C. 1343 (wire fraud), and violations of 18 U.S.C. 1030 (Computer Fraud and Abuse Act), and 18 U.S.C. 1956 (money laundering) have been committed by unknown persons. There is also probable cause to search the information described in Attachment A for evidence, instrumentalities, contraband or fruits of these crimes ftll?tllCI? described in Attachment B. JURISDICTION 5. This Court hasjurisdiction to issue the requested warrant because it is ?a court of competentjurisdiction? as defined by 18 U.S.C. ?2711. 18 U.S.C. Specifically, the Court is ?a district court ofthe United States . . . that hasjurisdiction over the offense being investigated.? 18 U.S.C. 271 3: 8?iif?00003-KI-7M Case Document 1 Filed 01/05/18 Page 3 oi 16 JAN-5 LEGAL BACKGROUND 6. Title 18, United States Code 37] states, ?lftwo or more persons conspire either to commit any offense against the United States . . . and one or more of such persons do any act to effect the object ofthe conspiracy, each shall be imprisoned not more than ?ve 7. Title 18, United States Code 1343 states, ?Whoever, having devised or intending to devise any scheme or artifice to defraud, or for obtaining money or property by means of false or fraudulent pretenses, representations, or promises, transmits or causes to be transmitted by means of wire, radio, or television communication in interstate or foreign commerce, any writings, signs, signals, pictures, or sounds for the purpose of executing such scheme or artifice, shall be imprisoned not more than 20 8. Title 18, United States Code 1030 states, ?Whoever . . . (2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains?? . . . rt: ti: (C) information from any protected computer; (4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object ofthe fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1?year period; knowingly causes the transmission ofa program, information, code, or command, and as a result ofsuch conduct, intentionally causes damage without authorization, to a protected computer; (B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or (C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss. :k (7) with intent to extort from any person any money or other thing of value, transmits in interstate or foreign commerce any communication containing any-? . Case Document 1 Filed 01/05/18 Page 4 oi 16 (A) threat to cause damage to a protected computer; (B) threat to obtain information from a protected computer without authorization or in excess ofauthorization or to impair the confidentiality of information obtained from a protected computer without authorization or by exceeding authorized access; or (C) demand or request for money or other thing of value in relation to damage to a protected computer, where such damage was caused to facilitate the extortion; shall be punished as provided in subsection ofthis section. Whoever eonspires to commit or attempts to commit an offense under subsection ofthis section shall be punished as provided in subsection of this section. (0) The punishment for an offense under subsection or of this section is?ne under this title or imprisonment for not more than 5 years, or both, in the case of an offense under subsection or an attempt to commit an offense punishable under this subparagraph, if?? the offense was committed for purposes of commercial advantage or private financial gain: (ii) the offense was committed in furtherance of any criminal or tortious act in violation ofthe Constitution or laws of the United States or of any State; or the value of the information obtained exceeds $5,000; and a fine under this title or imprisonment for not more than five years, or both, in the ease ofan offense under subsection or of this section which does not occur after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph: and (B) a fine under this title or imprisonment for not more than ten years, or both, in the ease of an offense under subsection or ofthis section which occurs after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph . . . PROBABLE CAUSE DMA Locker is used by the subject to data 011 a victim?s computer system and require payment in exchange for restored access to that data 9. As ofJanuary 2, 2018, the FBI has received approximately 42 complaints from Fm JAN 5 20 victims ofa form of computer malware identified as DMA Locker. The characteristics of DMA . Case Document 1 Filed 01/05/18 Page 5 16 Locker categorize it as ?ransomware.? Generally, upon installation of ransomware on a victim?s computer, the program will seek to all ?les on the system, rendering the computer unusable. When the owner or user of the computer attempts access, the ransomware will display a message or ransom note informing the user of the and demanding payment in exchange for a key or password to the files. 10. In the case of DMA Locker, the FBI has identified that the subject responsible for such attacks is able to plant the ransomware on victim computers by exploiting weak passwords associated with Windows Remote Desktop Connection (RDC) accounts. Doing so gives the subject remote access to the computer. The ransomware requires administrator privilege to execute, but if the compromised account does not have administrator privileges, the subject will use additional software to gain access as an administrator. I 1. FBI forensic analysis ofvictim computers suggests the subject uses additional software to scan the victim?s local computer network and provide a map of additional computers connected to the victim?s compromised computer. Doing so provides many bene?ts, one of which would provide the subject intelligence on how large of an infection they could possibly inflict on the victim network, and additionally, a list ofadditional services the victim?s systems are using that might also be vulnerable to exploitation. When executed, the ransomware references a list offile extensions, which iflocated on the victim network, the ransomware will attempt to 12. After the is completed, the ransomware will display a message to the victim user, which informs the user of what has occurred, and that the information is only recoverable by paying the subject with Bitcoin an online with real value convertible to US. Dollars who will then provide the victim with a key to regain i {Fm JANH5 . 3:18- Case Documentl Filed 01/05/18 Page6ldifiigoo3 access to the data. In the cases that the FBI has investigated, this ransom amount as ranged from approximately three Bitcoins to approximately 10 Bitcoins. While the conversion rate of Bitcoins to United States Dollars fluctuates daily, as ofthe date ofthis affidavit, I Biteoin is valued at approximately $18,000. 13. According to the online website for the anti?malware company Malwarebytes, malware researchers first observed DMA Locker ransomware attacks beginning in or about February 2016. ?rst observed instance of DMA Locker attack and remediation by Proven Data Recovery 14. The FBl?s investigation into DMA Locker began around April 3, 2016, when an attorney representative of the real?estate agency Herrington Company contacted the FBI Anchorage Division to report that the company?s computer system had been infected by malware. This ransomware had approximately all files on Herrington Company?s computer system and demanded payment of four Bitcoins made to Biteoin address After payment had been completed, the ransom note prompted the victim to send an email to address team4004@gmx.com referencing a code found in the note that would identify the victim to the subject. After this, the victim would be provided with an electronic key to the ?les. 15. On or about April 1 l, 2016, Simon Schroeder, an information technology (IT) services consultant hired by I-Ierrington Company to remediate the ransomware problem, sent an email to address team4004@gmx.com, attempting to confirm that the subject would provide a key after payment. On April 1 1, 2016 at 19:51 :09 +0200, the consultant received a one-word email from team4004@gmx.com, stating: ?yes.? ma MN .. 5 . 3:18- Case Documentl Filed 01/05/18 Page7lgi 16 16. Also on or about April 1 l, 2016, the owner of Herrington Company, Leif Herrington, informed the FBI that he had engaged at New York-based ?rm called Proven Data Recovery (PDR) to help recover l-lerrington?s electronic data. PDR claimed the ability to ?les infected with ransomware fora fee. PDR quoted Herrington a. price of approximately $6,000 in order to restore access to the ?les. 17. Following a consultation with a client manager from PDR, Schroeder provided PDR with a sample ?le for evaluation. PDR then scheduled an appointment a couple days later. During the appointment, Schroeder ?rst moved the ?les to a backup computer system. Schroeder then granted remote access to PDR so it could access the infected computer system, which contained a subset of the ?les. Schroeder observed PDR work on Herrington Company?s computer system using the command prompt for approximately 45 minutes, after which the ?les were Schroeder later provided PDR remote access to the computer workstation at Herrington Company that contained the remainder ot?thc ?les. PDR then those ?les using a similar process. 18. While Schroeder was unable to tell exactly what PDR had done to the data, based on the size ofthe ?les, and the speed at which PDR was able to them, Schroeder believed that PDR simply paid the original four Bitcoin ransom, after which the subject responsible provided the means to the ?les. PDR did not inform either Schroeder or l-lerrington that this would be their method to restore access to the ?les. Proven Data Recovery?s method to recover data by DMA Locker is to communicate with the subject responsible for the attack and pay the demanded ransom 19. Subsequent investigation by the FBI con?rmed that PDR was only able to the victim?s ?les by paying the subject the ransom amount via Bitcoin address communicating with the subject at email address KW 5 my . 3:18? Case Document 1 Filed 01/05/18 Page 8 16 team4004@gmx.com, and obtaining a key from the subject via that same email address. Records associated with Bitcoin accounts owned by FDR, provided to the FBI pursuant to federal grandjury subpoena by Bitcoin exchanger Coinbase, Inc. showed a transaction of four bitcoins sent from account to Bitcoin address on April 1 l, 2016, at 11:37:41 AM. 20. On or about April 7, 2016, FBI Special Agents interviewed Mark Congionti, Lead Solutions Manager at, and one ofthe owners of, PDR, regarding his knowledge of DMA Locker and the DMA Locker attack on Hen'ington Company. ongionti stated that he was very familiar with DMA Locker, as his company had helped numerous victims ofthe malware recover data. According to Congionti, there was currently no way to such data, apart from paying the subject and obtaining a key. Congionti acknowledged that PDR did communicate with the subject responsible for DMA Locker attacks in the course of making payments to the subject on behalf of clients. ?9 1. According to Congionti, all of communication with the DMA Locker A.- subject was conducted using company email account, and retained by PDR. In fact, PDR maintained several hundred such email exchanges between PDR and email addresses associated with DMA Locker attacks. Congionti promised to provide the FBI with all requested records of communications associated with DMA Locker attacks, with the stipulation that producing them would likely be a time?intensive process. Proven Data Recovery has provided the FBI with records of a limited number of email exchanges with DMA Locker email accounts; however, Proven Data Recovery maintains many more 22. On or about April 7, 2017, the FBI sent an email to Congionti requesting the following information: (1) any email communication with ransomer related to the April 2016 Na 3: I 8- Case Document 1 Filed 01/05/18 Page 9 16 Herrington Company DMA Locker attack, (2) Any email communication with the email accounts tcam4004 a?gmxcom, and team2002@gmx.com, (3) a list of all email aliases used by DMA Locker ransomer, (4) Bitcoin accounts used by DMA Locker ransomer, and (4) relevant forensic reports containing IP address identifiers. In an email sent to the FBI on or about May 12, 2017, Congionti provided copies of approximately 12 emails sent between the email account service@provendatarecovery.com and either the email address january0040@gmx.com or team4004@gmx.com. Both of these email addresses had been previously known to the FBI as ones utilized by the subject responsible for DMA Locker. In addition to these emails, Congionti also provided the FBI with a list of all email addresses that PDR had identi?ed as associated with DMA Locker. These accounts were week4004@fastmail.com, january0040@gmx.com, january0060@gmx. com, tea1112002@gmx. com. team4004@gmx. com, tea1118008@gmx. com. 23. In the same email, Congionti stated that Proven Data Recovery had ?200 or more cases and many more emails? related to DMA Locker attacks. At that time, given that it had already taken PDR over a month to produce any records, the FBI did not request that PDR provide records of all emails between PDR and the DMA Locker email accounts. However, the FBI did request the emails associated with the April 2016 DMA Locker attack on Herrington Company. 24. On or about May 26, 2017, PDR provided the FBI with one email sent from the email account team4004@gmx. com to the account service@provdendatarccovery. This email was dated April I 1, 2016 15:01:42 ?0400, with subject line ?Re: PAID DMALOCK 70:40:44:84:72:48:39:59.? The content ofthe email said ?Thank you for your payment. Password for attachment is your email: Extract all ?les to C:\Program Data and run svchosdexe as administrator (it?s important) then lead dma_private.key m. JAN 5 2013 0-0003 Case 3:18- -mj- -00003- KFM Document 1 Filed 01/05/18 Page 118011311 16 and click button. The FBI understands this email to be the provision ofa key to PDR following payment ofthe four Bitcoin ransom. 25. Based on Mail Exchanger (MX) records for the domain provendatarecoverycom, the FBI believes email records are stored at the premises of Liquid Web, Inc. located at 2703 Ena Drive, Lansing, MI 48917. The MX is the server designated as responsible for receiving email for the associated domain. A domain?s MX information is generally registered along with its Domain Name Servers (DNS) information which is publicly available through third party tools such as According to MX records returned by mxtoolboxcom for provendatarecovery.com, Liquid Web, Inc. IP address 72.52.140.22 is the designated MX server responsible for the domain. 26. On or about December 5, 2017, FBI Special Agents again interviewed PDR executives Mark Congionti and Victor Congionti. Both con?rmed that PDR has used the email accounts sewice@provendata.com and service@provendatarecovery.com to communicate with the DIVIA Locker subject in the course of facilitating payment on behalf of victims of DMA Locker. Victor Congionti also con?rmed that PDR utilized Liquid Web, Inc. to host these email accounts, and that all email content associated with these accounts is stored on a dedicated server in the control of Liquid Web. According to Victor Congionti, the host name of this server is serv.seribrum.com. 27. In general, an email that is sent to a Liquid Web subscriber is stored in the subscriber?s ?mail box? on Liquid Web servers until the subscriber deletes the email. Ifthe subscriber does not delete the message, the message can remain on Liquid Web servers indefinitely. Even ifthe subscriber deletes the email, it may continue to be available on Liquid Web?s servers for a certain period of time. kit-ea 5 2013 3:13? Case Doeumentl Filed 01/05/18 Page 1113i 16 28. Victor Congionti stated that PDR also maintains a database within their own computer systems that contains records ofall clients that have been attacked by DMA Locker. PDR also maintains in its computer systems forensic reports PDR conducted of victim computer systems infected with DIVIA Locker. BACKGROUND ON IP ADDRESSES, AND BITCOIN 29. In my training and experience, I have learned that Liquid Web, Inc. provides a variety of on-Iine services, including electronic mail (?email?) access, to the public. Liquid Web Inc. allows subscribers to obtain email accounts at customized domains like the email accounts listed in Attachment A. Subscribers obtain an account by registering with Liquid Web, 1110.. During the registration process, Liquid Web, Inc. asks subscribers to provide basic personal information. Therefore, the computers of Liquid Web, Inc. are likely to contain stored electronic communications (including retrieved and unretrieved email for Liquid Web, Inc. subscribers). 30. In my training and experience, email providers typically retain certain transactional information about the creation and use of each account on their systems. This information can include the date on which the account was created, the length of service, records oflog-in session) times and durations, the types of service utilized, the status ofthe account (including whether the account is inactive or closed), the methods used to connect to the account (such as logging into the account via the provider?s website), and other log ?les that re?ect usage of the account. In addition, email providers often have records of the Internet Protocol address address?) used to register the account and the IP addresses associated with particular Iogins to the account. Because every device that connects to the Internet must use an IP address, IP address information can help to identify which computers or other devices were used to access the email account. ?Fm JAN 5 2m . 3:18- Case Documentl Filed 01/05/18 Page 1213i? 16 31. As explained herein, information stored in connection with an email account may provide crucial evidence of the ?who, what, why, when, where, and how? ofthe criminal conduct under investigation, thus enabling the United States to establish and prove each element or alternatively, to exclude the innocent from further suspicion. In my training and experience, the information stored in connection with an email account can indicate who has used or controlled the account. This ?user attribution? evidence is analogous to the search for ?indicia of occupancy? while executing a search warrant at a residence. For example, email communications, contacts lists, and images sent (and the data associated with the foregoing, such as date and time) may indicate who used or controlled the account at a relevant time. Further, information maintained by the email provider can show how and when the account was accessed or used. For example, as described below, email providers typically log the Internet Protocol (IP) addresses from which users access the email account along with the time and date. By determining the physical location associated with the logged IP addresses, investigators can understand the chronological and geographic context of the email account access and use relating to the crime under investigation. This geographic and timeline information may tend to either inculpate or exculpate the account owner. Additionally, information stored at the user?s account may further indicate the geographic location ofthe account user at a particular time location infomiation integrated into an image or video sent via email). Last, stored electronic data may provide relevant insight into the email account owner?s state of mind as it relates to the offense under investigation. For example, information in the email account may indicate the owner?s motive and intent to commit a crime communications relating to the crime), or consciousness of guilt deleting communications in an effort to conceal them from law enforcement3:18? Case Document 1 Filed 01/05/18 Page 13110111? 16 32. Bitcoin is a type of virtual currency, circulated over the Internet as a form of value. Bitcoin are not issued by any government, bank, or company, but rather are controlled through computer software operating via a decentralized, peer?to?peer network. Bitcoin is just one of many varieties of virtual currency. 33. Bitcoin are sent to and received from Bitcoin ?addresses.? A Bitcoin address is somewhat analogous to a bank account number and is represented as a 26?to?35?character?long case?sensitive string of letters and numbers. Each Bitcoin address is controlled through the use of a unique corresponding private key, a equivalent of a password or pin needed to access the address. Only the holder of an address' private key can authorize any transfers of Bitcoin from that address to other Bitcoin addresses. Users can operate multiple Bitcoin addresses at any given time, with the possibility ofusing a unique Bitcoin address for each and every transaction. 34. To transfer Bitcoin to another address, the sender transmits a transaction announcement, signed with the sender's private key, across the peer?to?peer Bitcoin network. The Bitcoin address of the receiving party and the sender's private key are the only pieces ofinformation needed to complete the transaction. These two keys by themselves rarely re?ect any identifying information. As a result, little-to?no personally identifiable information about the sender or recipient is transmitted in a Bitcoin transaction itself. Once the sender?s transaction announcement is verified, the transaction is added to the blockchain, a decentralized public ledger that records all Bitcoin transactions. The blockchain logs every Bitcoin address that has ever received a bitcoin and maintains records of every transaction for each Bitcoin address. JAN 5 20m Case Documentl Filed 01/05/18 35. While the identity ofthe Bitcoin address owner is generally anonymous (unless the owner Opts to make the information publicly available), analysis ofthe bloekchain can often identify the owner of a Bitcoin address. The analysis can also reveal additional addresses controlled by the same individual or entity. For example, a user or business may create many Bitcoin addresses to receive payments from different customers. When the business wants to move the bitcoin that it has received, it may group those addresses together to send a single transaction. Analysis of the blockehain information associated with such a transaction would indicate that each ofthose addresses was, in fact, part ofa ?cluster? of Bitcoin addresses controlled by a single entity. This analysis allows law enforcement and the private sector alike to gain insight into all of the addresses associated with a company. Several companies specializing in blockchain analysis create large databases for building these clusters and offer software products to facilitate this sort ofanalysis. 36. To acquire bitcoin, a typical user will purchase them from a virtual currency exchanger. A virtual currency exchange is a business that allows customers to trade virtual currencies for other forms of value, such as conventional fiat money U.S. dollar, Russian ruble, E). When a user wishes to purchase bitcoin from an exchanger, the user will typically send payment in the form of fiat currency, often via bank wire, or other virtual currency to an exchanger, for the corresponding quantity of bitcoin, based on a fluctuating exchange rate. The exchanger, usually for a commission, will then either sell the user bitcoin from the exchange?s reserves or will attempt to broker the purchase with another user who is trying to sell bitcoin. The purchased bitcoin are then transferred to the purchaser?s Bitcoin address, allowing the user to conduct transactions with other Bitcoin users. Virtual currency exchanges doing business in ?Fm 3: 8- Case Document 1 Filed 01/05/18 Page 1151311? (106003 KFM the United States are regulated under the Bank Secrecy Act and must collect identifying information of their customers and verify their clients? identities. 37. Since the blockchain serves as a searchable public ledger of every Bitcoin transaction, investigators may trace transactions to Bitcoin exchangers. Since those exchangers collect identifying information about their customers, subpoenas or other apprOpriate process submitted to these exchangers can reveal the true identity ofthe individual responsible for the transaction. CONCLUSION 38. Based upon the above information, your af?ant submits that there is probable cause to believe that within information on the premises controlled by Liquid Web, Inc., and on the premises controlled by Proven Data Recovery, as set forth in Attachment A (Property to be Searched), there exists evidence, fruits, and of violations ofthe Subject Offense, as set forth in Attaclnnent (Particular Things to be Seized). 39. Because the warrants will be served on Liquid Web and Proven Data Recovery, who will then compile the requested records at a time convenient to it, reasonable cause exists to permit the execution of the requested warrant at any time in the day or night. Respectfully submitted, Signtaure Redacted Jayantl?wamidass Special Agent, Federal Bureau of Investigation SrUbSC?bEdaHd to before me on the day ofJanuary 2018. . . .tsr Kevin F. McCoy United States Magistrate Judge Signature Redacted II United. States Magistrate Judge kF?m JAN - 5 2979 3:18?rni?00003?KFM Case Document 1 Filed 01/05/18 Page 16 of 16 ATTACHMENT A Property to Be Searched This warrant applies to information associated with serviee@provendata.com and service@pr0vendatarccovery.com that is stored at premises owned, maintained, controlled, or operated by Liquid Web, Inc., a company headquartered at 2703 Ena Drive, East Lansing, Michigan 48917. - 3:18- 0 3- Case Document 1-1 Filed 01/05/18 Page 3? (i0 0 Km ATTACHMENT Particular Things to be Seized 1. Information to be disclosed by Liquid Web, Inc. (the ?Provider?) To the extent that the information described in Attachment A is within the possession, custody, or control of the Provider, including any emails, records, ?les, logs, or information that has been deleted but is still available to the Provider, or has been preserved pursuant to a request made under 18 U.S.C. 2703(1?) on January 2, 2018, the Provider is required to disclose the following information to the government for each account or identi?er listed in Attachment A: a. The contents of all emails associated with the accounts, including stored or preserved copies ofemails sent to and from the account, draft emails, the source and destination addresses associated with each email, the date and time at which each email was sent, and the size and length of each email; b. All records or other information regarding the identi?cation ofthe accounts, to include full name, physical address, telephone numbers and other identi?ers, records of session times and durations, the date on which the account was created, the length of service, the IP address used to register the account, log-in lP addresses associated with session times and dates, account status, alternative email addresses provided during registration, methods of connecting, log ?les, and means and source of payment (including any credit or bank account number); 0. The types of service utilized; (1. All records or other information stored at any time by an individual using the account, including address books, contact and buddy lists, calendar data, pictures, and ?les; e. All records pertaining to communications between the Provider and any person regarding the account, including contacts with support services and records ofactions taken. grim JAN-52518 - - 3? Case Document 1-2 Filed 01/05/18 Pagl?ifjbigoo KIM II. Information to be seized by the government All information described above in Section 1 that constitutes fruits, evidence and instrumentalities of violations of Title 18, United States Code 371, Title 18, United States Code 1343, Title 18, United States Code 1030, those violations involving the subject responsible for DMA Locker ransomwarc attacks and occurring after February 1, 2016, including, for each account or identi?er listed on Attachment A, information pertaining to the following matters: Any communication with any ofthe following email accounts: week4004@fastmail.com, january0040@gmx.com, january0060@gmx.com, team2002@gmx.com, team4004@gmx.com, tea1118008@gmx.com, or any other email address found to be used by a subject associated with the DMA Locker ransomware attacks. Information identifying, or that could lead to the identification of, any ?nancial account owned or utilized by the subject responsible for DMA Locker attacks. Information identifying any victim of DMA Locker. Information related to any financial transaction between any party and an account identi?ed as one owned or utilized by the subject responsible for DMA Locker attacks. Evidence indicating how and when the email account was accessed or used, to determine the geographic and chronological context of account access, use, and events relating to the crime under investigation and to the email account owner. Evidence indicating the email account owner?s state of mind as it relates to the crime under investigation. JAN 5 2018 . . 3:18- Case Document 1-2 Filed 01/05/18 Page 51108 The identity ofthe person(s) who created or used the user IDs, including records that help reveal the whereabouts of such person(s). The identity of the person(s) who communicated with the user le about matters relating to DMA Locker ransomware attacks, including records that help reveal their whereabouts. 4? JAN 5 2018 3:18- Case Document 1-2 Filed 01/05/18 Page gijof 3