South Korean police arrest computer repairmen who made and distributed ransomware

South Korean authorities have filed charges today against nine employees of a local computer repair company for creating and installing ransomware on their customers' computers.

The scheme netted the suspects more than 360 million won ($321,000) in ransomware payments from 40 companies they serviced throughout 2020 and 2021.

Not all of the company's employees were involved in the scheme, but only nine employees from the company's Seoul offices.

Repairmen initially inflated ransom demands

According to police officials, the scheme got underway last year after some of the repair shop's customers reached out to employees to help deal with ransomware infections that encrypted enterprise systems.

The rogue employees initially helped companies negotiate and pay ransoms and then decrypt affected systems. However, as attacks kept coming, police investigators said the rogue employees also began tampering with the encrypted computers they were contracted to service.

In at least 17 incidents, the employees modified ransom notes to inflate the original ransom demands in order to obtain larger funds from the victimized companies. 

In some cases, ransom demands were inflated as much as ten times the initial request (i.e., from 0.8 bitcoin to 8 bitcoins), allowing the rogue employees to pocket huge profits every time a victim company agreed to pay.

Group also created its own ransomware strain

But as the group found success with their scheme, they also created their own ransomware strain.

Investigators said the group of rogue employees would restore systems impacted by ransomware attacks but also leave a backdoor that they'd later use to deploy their own ransomware and extort the company again, but keeping the entirety of the profits this second time.

While initially, the rogue employees planted their ransomware on the computer systems of ransomware victims, they also began to planting it on clean systems of regular customers that came in with mundane issues.

South Korean officials said that some companies were often hit twice and would suspect the attack came from their IT support, which eventually led to some victims filing police complaints.

After a months-long investigation, charges were formally filed today against both the nine employees and their employer. The names of the nine suspects and their employer were not released.

Two suspects, a 43-year-old and a 44-year-old were also arrested and remain in police custody, believed to be the heads of the entire operation.

1A (43 years)Ransomware distribution, email falsification, PC intentional infection, inflating repair costsX
2B (44)Ransomware distribution, PC partition damage, inflating recovery costsX
3C (43)Ransomware production and distribution, inflating recovery costs 
4D (37)Spreading ransomware, inflating recovery costs 
5E (48)Spreading ransomware, inflating recovery costs 
6F (45)Inflating recovery costs 
7G (48)Inflating recovery costs 
8H (48)Inflating recovery costs 
9I (37)Inflating recovery costs 
10J (company)Orthodox Net Law's Penalty Regulations 

Today's arrests mark the second ransomware gang crackdown in which South Korean officials were involved. They also worked with US and Ukrainian law enforcement to arrest six suspects linked to the Clop ransomware gang.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Catalin Cimpanu

Catalin Cimpanu

is a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.