All crypting kingpins cuffed
Romanian police have arrested a pair of suspected cybercriminals who allegedly made a fortune running a malware encryption service that helped cybercriminals bypass antivirus defenses.
The unnamed duo are suspected of running the CyberSeal and Dataprotector ‘crypting’ services that were said to be used by more than 1,500 criminals to develop remote access trojans (RATs), information stealers, and ransomware.
Malware writers use crypting services to disguise their malicious software as something benign.
These illicit crypting services – in operation since 2010 – charged their clients between $40 to $300, depending on license conditions.
“[The] service activity was well structured and offered regular updates and customer support to the clients," according to a statement by investigators at European policing body Europol.
The same pair of suspects also operated a service which allowed their clients to test their malware against antivirus tools.
The prices for this service, branded as Cyberscan, varied between $7 to $40.
Such services are touted in underground markets as offering fully undetectable (FUD) capability but, in practice, what crooks are buying is a longer shelf life for their malicious code.
How do crypters work? (Image courtesy of Europol)
Backend infrastructure takedown
An investigation led by the Romanian Police (Poliția Română) resulted in four house searches carried out in the cities of Bucharest and Craiova, two arrests, and the dismantling of backend infrastructure linked to the illicit services in Romania, Norway, and the US.
The FBI, the Australian Federal Police, the Norwegian National Criminal Investigation Service (Kripos) and Europol each assisted in Operation Invoke.
The Europol statement explains its role in offering forensic, malware, and operational analysis in the early part of the operation as well as a “virtual command post” on the day’s homes were raided, and attack infrastructure was seized.