International operation takes down crypting sites used for testing malware

Multiple sites used to test malware against real antivirus tools were taken down by law enforcement in the U.S. and Netherlands last week. 

According to applications for warrants filed with Texas Southern District Court on May 15 and unsealed on Thursday, the Justice Department took down four domains: AVCheck.net, Crypt.guru, Cryptor.live and Cryptor.biz. 

The websites were officially seized on May 27 in coordination with Finnish and Dutch national police as part of the ongoing Operation Endgame — an international law enforcement campaign against cybercriminal organizations that has resulted in multiple takedowns, arrests and platform seizures over the last two years. Many of the malware developers identified in Operation Endgame used AVCheck and the other platforms to test their tools. 

The sites were used for more than a decade by cybercriminals who wanted to test and perfect their malware against cyber defense tools. 

“Taking the AVCheck service offline marks an important step in tackling organized cybercrime,” said senior Dutch official Matthijs Jaspers. “This will disrupt cybercriminals as early as possible in their operations and prevent victims.” 

The platforms, according to law enforcement, were part of an online software crypting syndicate. Crypting is a process where cybercriminals use software to test their malware against cyber defenses.  

National police officials in the Netherlands said AVCheck is one of the largest counter antivirus services used internationally by cybercriminals. They called the use of crypting services an “essential step in deploying malware.”

The tools “allow criminals to obfuscate malware, making it undetectable and enabling unauthorized access to computer systems,” the U.S. Justice Department said. 

“Cybercriminals don’t just create malware; they perfect it for maximum destruction,” said FBI Houston Special Agent in Charge Douglas Williams. 

“By leveraging counter antivirus services, malicious actors refine their weapons against the world’s toughest security systems to better slip past firewalls, evade forensic analysis, and wreak havoc across victims’ systems.”

‘Enablers’

The law enforcement agencies said they made undercover purchases from the seized websites, analyzed their services and confirmed that they were used for cybercrime. 

The DOJ noted that their investigation uncovered email addresses and data linking the platforms to ransomware gangs like Ryuk that have attacked victims in the U.S. and abroad. 

“Through investigation in collaboration with foreign partners, the FBI determined that Ryuk actors utilize cryptor[.]biz as a service responsible for developing and deploying Ryuk. One such actor, who is directly associated with the development of the malware, has been linked to several accounts at multiple counter-antivirus and crypting services,” the FBI said in court filings. 

“The use of cryptor[.]biz has been identified in several additional investigations within the United States, and law enforcement authorities have identified the service as being associated with at least 37 other investigations spanning 29 different FBI field offices.” 

Crypting services are advertised widely across cybercriminal forums and can cost anywhere from $15 to $1,000 depending on the number of times a customer wanted to test their malware. 

U.S. Attorney Nicholas Ganjei said the operation is part of a larger effort to not just target individual hackers but also the “enablers of these cybercriminals as well.”

“This investigation did exactly that. With this syndicate shut down, there is one less provider of malicious tools for cybercriminals out there,” he said.