Ukrainian police identify suspected affiliate of Conti, LockBit groups

Ukrainian cyber police say they have identified a local hacker affiliated with the notorious Conti and LockBit ransomware gangs.

The 28-year-old resident of Kyiv allegedly specializes in the development of cryptors — malicious tools used to encrypt malware and make it more difficult for antivirus software to detect and analyze, police said.

The man sold his services for a reward in cryptocurrency to hackers connected to the Russia-linked Conti and LockBit ransomware groups, according to a police statement released on Wednesday.

Ukrainian police did not specify if the suspect was currently in custody. The agency’s spokesman told Recorded Future News that “investigative actions are currently underway, including the analysis of information contained in seized devices in order to collect additional evidence and identify other persons who may have been involved in the offense.”

A statement last week by the Dutch police said the suspect was arrested in April as part of Operation Endgame — one of the largest international law enforcement actions against botnets. Authorities took down or disrupted 100 servers used by criminals and seized over 2,000 malicious domains.

“The Dutch investigative services are very pleased with the arrest in Ukraine and are grateful for the space that the Ukrainian police have found for this in times of war,” the statement said.

LockBit has been one of the most prolific ransomware operations over the past four years. Its malware has disrupted thousands of businesses worldwide, including Boeing and the U.K.’s Royal Mail. 

In February, police shut down its extortion site, but the criminals likely resurrected it in May. An FBI official recently stated that U.S. authorities have more than 7,000 decryption keys that can help LockBit victims reclaim their data.

Conti is known for attacks on U.S. healthcare organizations. In 2022, the U.S. offered a reward of up to $10 million for information on the identification and location of any individual who holds a Conti leadership position.

The malware allegedly disguised with cryptors by the Ukrainian hacker was used at the end of 2021 to infect the computer networks of companies in the Netherlands and Belgium, Ukrainian police said.