LockBit and Conti Ransomware Groups

The Cyber Police of Ukraine has announced the arrest of a local man who is suspected to have offered their services to LockBit and Conti ransomware groups.

The unnamed 28-year-old native of the Kharkiv region allegedly specialized in the development of crypters to encrypt and obfuscate malicious payloads in order to evade detection by security programs.

The product is believed to have been offered to the Conti and LockBit ransomware syndicates that then used the crypter to disguise the file-encrypting malware and launch successful attacks.

"And at the end of 2021, members of the [Conti] group infected the computer networks of enterprises in the Netherlands and Belgium with hidden malware," according to a translated version of the statement released by the agency.

As part of the investigation, authorities conducted searches in Kyiv and Kharkiv, and seized computer equipment, mobile phones, and notebooks. If found guilty, the defendant is expected to face up to 15 years in prison.

News of the arrest was also echoed by the Dutch Politie, which said the individual was arrested as part of Operation Endgame on April 18, 2024.

Cybersecurity

"The Conti group has used several botnets that were also the subject of research within Operation Endgame," the Politie said earlier this month.

"In this way, the Conti group gained access to companies' systems. By targeting not only the suspects behind the botnets, but also the suspects behind the ransomware attacks, this form of cybercrime is dealt a major blow."

In recent months, law enforcement authorities have engaged in a series of arrests and takedowns to combat cybercrime. Last month, the U.S. Justice Department announced the arrest of a Taiwanese national named Rui-Siang Lin in connection with his ownership of an illegal dark web narcotics marketplace called the Incognito Market.

Lin is also said to have launched a service called Antinalysis in 2021 under the alias Pharoah, a website designed to analyze blockchains and let users check whether their cryptocurrency could be connected to criminal transactions for a fee.

The darknet bazaar attracted attention earlier this March when its site went offline in an exit scam of sorts, only to reappear a few days later with a message extorting all of its vendors and buyers, and threatening to publish cryptocurrency transactions and chat records of users unless they paid anywhere between $100 and $20,000.

"For nearly four years, Rui-Siang Lin allegedly operated 'Incognito Market,' one of the largest online platforms for narcotics sales, conducting $100 million in illicit narcotics transactions and reaped millions of dollars in personal profits," James Smith, the assistant director in charge of the FBI New York field office, said.

"Under the promise of anonymity, Lin's alleged operation offered the purchase of lethal drugs and fraudulent prescription medication on a global scale."

According to data compiled by blockchain analysis firm Chainalysis, darknet markets and fraud shops received $1.7 billion in 2023, indicating a rebound from 2022 since the closure of Hydra early that year.

The development comes as GuidePoint Security revealed that a current affiliate of the RansomHub ransomware group, who was previously a BlackCat affiliate, also has connections with the infamous Scattered Spider gang based on overlaps in observed tactics, techniques, and procedures (TTPs).

This encompasses the use of social engineering attacks to orchestrate account takeovers by reaching out to help desk personnel to initiate account password resets and the targeting of CyberArk for credential theft and lateral movement.

"User education and processes designed to verify the identity of callers are the two most effective means of combating this tactic, which will almost always pass undetected unless reported by employees," the company said.


Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.