Cybercrime as-a-service , Encryption & Key Management , Fraud Management & Cybercrime

2 Arrested for Operating Malware Encryption Service

Romanians Allegedly Ran 'CyberSeal,' 'Dataprotector' and 'Cyberscan' Services
2 Arrested for Operating Malware Encryption Service
A breakdown of the encryption operation (Source: Europol)

Europol, the European law enforcement agency, has arrested two Romanians for allegedly selling services – including malware encryption - that helped cybercriminals circumvent antivirus tools.

See Also: Expel Quarterly Threat Report

The suspects, which Europol did not name, allegedly operated the CyberSeal and Dataprotector encrypting services along with Cyberscan, a service that allowed hackers to test their malware against antivirus tools, Europol announced Friday. The law enforcement agency states about 1,500 individuals purchased these services.

The suspects offered a variety of licensing and pricing plans. "Their clients paid between $40 to $300 for these crypting services, depending on license conditions," according to Europol. "Their service activity was well structured and offered regular updates and customer support to the clients."

The two suspects were arrested in Romania, and their infrastructure located in Romania, Norway and the United States was taken down, according to Europol.

The crackdown was led by Romanian Police working with the FBI, the Australian Federal Police, the Norwegian National Criminal Investigation Service and Europol under the auspices of the European Multidisciplinary Platform Against Criminal Threats legal framework.

"The coordination efforts in this case were led by Europol's European Cybercrime Center, which facilitated the exchange of information and provided forensic, malware and operational analysis in preparation for the action," Europol says.

Europol did not release any details on the pending charges.

Bypassing AV

The CyberSeal and Dataprotector operations encrypted and hid malware inside legitimate code so it would appear harmless to security software. Once installed on a targeted device, the encrypted malware would decrypt and then install remote access Trojans, information stealers and ransomware, Europol says.

The two suspects also allegedly offered a "counter antivirus" platform that enabled cybercriminals to test their malware against antivirus software, Europol says. The duo usually charged $7 to $40 for this service.

Encryption as a Service

Recorded Future noted in a report published in July that encryption as a service is a growing business, with some facilitators offering free samples to entice customers.

"Executing malware on a victim's machine while remaining undetected by antivirus software usually requires some technical skill, but there is a growing trend for these products to be offered as services by developers who provide user support, easy-to-use interfaces, and regular updates in response to new antivirus features in return for subscription fees rather than one-time purchases," the Recorded Future researchers note.

A crypter operates by compressing executables to reduce the size of the deliverable, evading sandboxing through virtual machine detection and masquerading as normal software, according to Recorded Future.

Europol notes that encryption services have been available on the darknet since 2010, with some high-profile criminal groups, including the GandCrab ransomware gang, using them (see: GandCrab Ransomware Partners With Crypter Service).


About the Author

Doug Olenick

Doug Olenick

Former News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to his stint as ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to Forbes.com, TheStreet and Mainstreet.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.co.uk, you agree to our use of cookies.