I’m happy to say that, as a result of close cooperation between Trend Micro threat research and Spanish law enforcement a number of important arrests have been made in connection with the Reveton ransomware. The Spanish police announcement can be found here [Spanish].
Over the past several months Trend Micro researchers have been providing evidence and intelligence related to the Reveton ransomware or “police trojan”. Law enforcement in Spain first became interested in this malware as a result of complaints they were receiving from victims of the scam. Trend Micro and Spanish law enforcement agencies have collaborated extremely closely; sharing intelligence, sharing samples and related technical detail. As a direct result of activities carried out by Trend Micro threat research, they were able to map the criminal network infrastructure including traffic redirection and command and control servers. Some of the intelligence gathered by law enforcement enabled them to reach a high degree of certainty of the identity of one of the individuals at the very top of this criminal gang.
That intelligence has directly contributed to the arrest of at least 11 individuals. One of the arrests is a 27 year-old man believed to be one of the head members of the cybercriminal gang that produces the ransomware strain we know as Reveton. The arrest of this cybercriminal of Russian origin happened in Dubai, United Arab Emirates and extradition to Spain is being worked on in order to bring him to justice. Along with the arrest of the criminal, this operation involved taking down the part of the gang in charge of the monetization of the PaySafeCard/UKash vouchers received as payment in the scam. The gang had a branch in Spain that exchanged these vouchers and converted them into real money, which would then be sent to the main gang in Russia. 10 of those arrested are believed to have been involved in this money laundering activity, 6 of them are Russian, 2 Ukrainian and 2 Georgian, all of them were based in Spain. Police estimate that this single group was laundering more than €1.000.000 in a single year.
This coordinated activity (in much the same way as the Trend Micro/FBI action against the DNS Changer gang last year), leading directly to the arrest of individuals believed to be actively engaged in cybercrime rather than simply taking down associated infrastructure, should serve as a model for how the security industry and law enforcement can effectively cooperate in the fight against online crime.