Ukraine National Police have arrested a man they say helped disguise ransomware used by Russia-based threat groups.
The 28-year-old cryptor developer was unnamed in
Ukraine and
Netherlands announcements of the arrest, but the Dutch statement said he was arrested on April 18, 2024 in a lead-up to Mayβs massive β
Operation Endgameβ botnet takedown.
Cryptor Developer Worked with Conti, LockBit
Ukraine cyber ββpolice and National Police investigators say they established that the man was involved in the
LockBit and Conti ransomware groups.
The Kyiv man infected a company in the Netherlands with Conti ransomware in 2021, demanded a ransom and threatened to release confidential company information if payment wasnβt made, according to the Dutch announcement, which cited work by the Netherlandsβ High Tech
Crime Team of the National Operations and Interventions Unit and the National Public Prosecution Service. They requested Ukraineβs assistance in the case as part of their investigation.
As part of the arrest, Ukrainian police conducted house searches in the city of Kyiv and the Kharkiv region on April 18 and seized computer equipment, mobile phones and documents for further investigation (pictured below).
[caption id="attachment_76895" align="alignnone" width="300"]
Items seized in Ukraine ransomware arrest[/caption]
The Ukraine
cyber police said the man βspecialized in the development of cryptors,β or βspecial software for masking computer viruses under the guise of safe filesβ (quotes translated from the Ukraine statement).
βThanks to his programming skills, the person involved was able to hide malicious software from the most popular antiviruses,β the Ukraine statement added.
LockBit Remains Active Despite Repeated Enforcement Activities
The Conti ransomware group reportedly
dissolved in 2022 after a Ukrainian researcher leaked the group's source code in retaliation for the group's support of Russia's invasion of Ukraine, but LockBit has remained persistent.
Despite the Ukraine arrest and law enforcement successes like Operation Endgame,
Operation Cronos, and the
unmasking of formerly anonymous LockBit leader Dmitry Khoroshev, LockBit has shown an ability to continually regroup and reestablish threat activities, recently launching high-profile ransomware attacks such as one that the city of Wichita is
finally recovering from.
Ukraine officials said the investigation is ongoing. The suspect is being charged under part 5 of Article 361, Unauthorized interference in the work of information (automated), electronic communication, information and communication systems, electronic communication networks, of the Criminal Code of Ukraine. The article provides for publishment of up to 15 years of imprisonment, and additional charges are possible.
Netherlands officials thanked the Ukrainian investigators for their assistance and said they βare very pleased with the arrest in Ukraine and are grateful for the space that the Ukrainian police have found for this in times of war.β