2 Arrested for Operating Malware Encryption ServiceRomanians Allegedly Ran 'CyberSeal,' 'Dataprotector' and 'Cyberscan' Services
Europol, the European law enforcement agency, has arrested two Romanians for allegedly selling services – including malware encryption - that helped cybercriminals circumvent antivirus tools.
The suspects, which Europol did not name, allegedly operated the CyberSeal and Dataprotector encrypting services along with Cyberscan, a service that allowed hackers to test their malware against antivirus tools, Europol announced Friday. The law enforcement agency states about 1,500 individuals purchased these services.
The suspects offered a variety of licensing and pricing plans. "Their clients paid between $40 to $300 for these crypting services, depending on license conditions," according to Europol. "Their service activity was well structured and offered regular updates and customer support to the clients."
The two suspects were arrested in Romania, and their infrastructure located in Romania, Norway and the United States was taken down, according to Europol.
The crackdown was led by Romanian Police working with the FBI, the Australian Federal Police, the Norwegian National Criminal Investigation Service and Europol under the auspices of the European Multidisciplinary Platform Against Criminal Threats legal framework.
"The coordination efforts in this case were led by Europol's European Cybercrime Center, which facilitated the exchange of information and provided forensic, malware and operational analysis in preparation for the action," Europol says.
Europol did not release any details on the pending charges.
The CyberSeal and Dataprotector operations encrypted and hid malware inside legitimate code so it would appear harmless to security software. Once installed on a targeted device, the encrypted malware would decrypt and then install remote access Trojans, information stealers and ransomware, Europol says.
The two suspects also allegedly offered a "counter antivirus" platform that enabled cybercriminals to test their malware against antivirus software, Europol says. The duo usually charged $7 to $40 for this service.
Encryption as a Service
Recorded Future noted in a report published in July that encryption as a service is a growing business, with some facilitators offering free samples to entice customers.
"Executing malware on a victim's machine while remaining undetected by antivirus software usually requires some technical skill, but there is a growing trend for these products to be offered as services by developers who provide user support, easy-to-use interfaces, and regular updates in response to new antivirus features in return for subscription fees rather than one-time purchases," the Recorded Future researchers note.
A crypter operates by compressing executables to reduce the size of the deliverable, evading sandboxing through virtual machine detection and masquerading as normal software, according to Recorded Future.
Europol notes that encryption services have been available on the darknet since 2010, with some high-profile criminal groups, including the GandCrab ransomware gang, using them (see: GandCrab Ransomware Partners With Crypter Service).