Ukrainian cops collar Kyiv programmer believed to be Conti, LockBit linchpin

An alleged cog in the Conti and LockBit ransomware machines is now in handcuffs after Ukrainian police raided his home this week.

The 28-year-old Kyivan's identity is being kept a secret for now, but he faces a potential maximum sentence of 15 years if found guilty of violating the Criminal Code of Ukraine relating to the abuse of computer systems.

According to the authorities' description, the individual played a significant role in both the Conti and LockBit operations, and was tasked in some capacity with building the main encryptor used by the gangs.

"The police found out that the young man specialized in the development of encryptors – special software for masking computer viruses under the guise of safe files," reads an announcement, automatically translated from Ukrainian into English.

"Thanks to his programming skills, the person involved was able to hide malicious software from the most popular antiviruses."

The announcement from the cyber team in Ukraine's national police accuses the arrested individual of being responsible for Conti attacks on the Netherlands and Belgium. Given Conti's dominance on the ransomware scene between 2019 and 2022, that could refer to any number of organizations.

However, the Dutch Politie narrowed it down to a "multinational" in 2021. As for what company that may be, one attack springs to mind but without any confirmation at the time of publication, we're reluctant to even hint towards it.

Police in the Netherlands first broke the news of the arrest last week, which actually took place back on April 18 but was only announced in recent days.

It also confirmed the links between the arrest and the ongoing Europol-led Operation Endgame, which recently saw the takedown of various malware loaders and botnets. The Ukrainian police and Operation Endgame itself amplified the arrest on Wednesday and Thursday respectively.

Ukrainian police shared images of the accused's home and an abundance of computer hardware, mobile phones, and notebooks seized that myst have surely already been ransacked for evidence by now.

• FBI encourages LockBit victims to step right up for free decryption keys
• What is RansomHub? Looks like a Knight ransomware reboot
• Cyber cops plead for info on elusive Emotet mastermind
• LockBit dethroned as leading ransomware gang for first time post-takedown

The arrest comes amid a heightened focus on LockBit in recent months, and taking down as many of its members as possible.

Operation Cronos disrupted the gang in February, leaking various secrets such as the fact that many of its affiliates never made a penny from the program, and how victims who paid ransoms didn't actually have their data deleted.

However, Cronos's efforts were short-lived as Dmitry Khoroshev's gang is still operating, just at a less prolific rate.

As part of the LockBit leak week in February, Ukrainian police announced the arrest of a father-son duo who together were believed to have formed a criminal partnership by working as a ransomware affiliate.

Another arrest in Poland was also made, and that followed others in the months prior. Then-20-year-old Apple fanboy Ruslan Magomedovich Astamirov was nabbed in June last year for allegedly working for Khoroshev, and a year before that Mikhail Vasiliev, a Canadian-Russian national living in Bradford, Ontario, was also cuffed for the same reasons.

One of the few LockBit profiteers to actually get caught and sentenced, Vasiliev landed himself a four-year prison term in March. Many have the good sense to stay in Russia or other countries where they can avoid extradition. According to recent reports, they enjoy safe haven in the West's main adversarial countries, but still find ways to holiday without getting caught. ®