South Korea’s National Police Agency said Tuesday that it had arrested a suspect involved in the distribution of thousands of emails laced with GandCrab, a once-prolific strain of ransomware.
The suspect, whom South Korean authorities did not name, is accused of setting up internet domains to distribute the malicious code and netting some $10,500 from the ransomware attacks.
The police statement described an investigation spanning two years and 10 countries, culminating in the suspect’s arrest on Feb. 25. Those police resources overcame the suspect’s efforts to cover their tracks by using IP addresses from different countries, police said. The investigation began when South Korean officials spotted malicious emails impersonating the police to distribute the ransomware.
South Korean outlet Yonhap News reported that the suspect was 20 years old.
At its height, GandCrab was one of the most commonly used strains of ransomware, infecting over a half a million victims from 2018 to February 2019, according to Europol. Security firm Bitdefender, working with European and U.S. law enforcement agencies, developed a decryption tool to help victims recover from GandCrab infections.
GandCrab operated on a “ransomware-as-a-service” model in which the developers leased out their tools to other criminals. GandCrab’s operatives claimed in mid-2019 that they were shutting down that service model. But researchers say that GandCrab’s authors continued to have a hand in ransomware infections in 2019.