Suspected ransomware mastermind arrested in Poland

Polish national now faces 181 charges in court

The Polish Police, in cooperation with the Belgian Federal Police and Europol, has arrested a Polish national who is suspected of having encrypted several thousands of computers during a sustained ransomware campaign.

A release from Europol over the weekend detailed the exploits of an alleged cybercriminal known online as ‘Armaged0n’, who is suspected of infecting computer systems by spreading ransomware via emails impersonating official correspondence from well-known companies, including telecommunication providers, retailers, and banks.

Once installed on a victim’s computer, the ransomware encrypted the files on the infected system, offering a decryption key in return for a ransom payment of $200-400.

The suspect carried out ransomware campaigns on average every three to four weeks between 2013 and 2018, and invested the criminal profits into cryptocurrencies, Europol said.

181 charges

The investigation, conducted by the District Prosecutor’s Office in Warsaw and the Polish Police National Headquarters, unveiled that the suspect – named as ‘Tomasz T’ – had gone into hiding in Belgium.

He was arrested on March 14 upon trying to enter Poland, and now faces 181 charges in court, including money laundering and computer fraud.

Alongside allegedly spreading ransomware, the suspect also reportedly infected computer systems with a virus which stole bank account login credentials previously copied to the clipboard without the victim’s knowledge.

The suspect then allegedly wired money online to accounts he controlled, subsequently using pre-paid payment cards to cash out the profits.

According to the District Prosecutor’s Office in Warsaw, the suspect has pleaded guilty to the charges.

No More Ransom

The arrest of the suspected Polish cybercriminal follows Europol’s announcement last month that the No More Ransom project now has decryption tools for more than 80 malware families.

A joint initiative between the Netherlands’ National High Tech Crime Unit, Europol’s European Cybercrime Center, Kaspersky Lab, and McAfee, No More Ransom has helped more than 35,000 people retrieve their files since its launch in July 2016.

Following the arrest of the Polish suspect last week, the Polish Police has developed a decryption tool for the ransomware spread by ‘Armaged0n’ and are appealing to people who think they have fallen victim to this online fraudster to seek help at their nearest police station.