Hacker Connected to Conti and LockBit Ransomware Arrested in Ukraine

• A Kyiv native was arrested for providing their encryption skills to Conti and LockBit ransomware groups.
• The accused cybercriminal also helped the hacker gangs evade detection.
• The arrest is part of a larger Europol-coordinated operation of bringing threat actors to justice.

The Ukrainian Cyber ​​Police and National Police investigators, together with the High Tech Crime Team of the National Operations and Interventions Unit in the Netherlands, have identified a 28-year-old cryptor specialist from Kyiv who cooperated with Russian ransomware groups and helped them evade detection.

The Ukrainian authorities say the individual participated in the 2021 Conti ransomware attack, which targeted a Dutch multinational’s systems in the Netherlands and Belgium. There’s also proof of connections to the LockBit ransomware operations.

At the Public Prosecution Service’s request and as part of the pre-trial investigation, Ukrainian police, together with the patrolmen of the special unit "TacTeam" of the TOR DPP battalion, carried out house searches in the city of Kyiv and the Kharkiv region on April 18, seizing computer equipment, mobile phones, and documents for further inquiry.

This police investigation is part of Operation Endgame, an internationally coordinated operation against botnets that targeted the cyberinfrastructure used for malware, leading to four arrests and more than 100 Internet servers seized.

The top five countries hit by LockBit are the US, UK, France, Germany, and China. The ransomware group targeted over 100 healthcare entities, and at least 2,110 victims had to negotiate with the group.

Law enforcement shut down LockBit's infrastructure in February 2024 in Operation Cronos, seizing several servers with decryption keys. This led to the progressive acquisition of approximately 7,000 LockBit keys that the FBI now offers for free to U.S. and international victims.