An email containing GandCrab ransomware disguised as a police summons notification. / Photo by National Police Agency
[Asia Economy Reporter Lee Gwan-ju] A man in his 20s who impersonated public institutions such as the police to distribute 'Gandcrab ransomware' and extort money has been caught by the police.
The Cyber Investigation Bureau of the National Police Agency's National Investigation Headquarters announced on the 9th that they have arrested Yoo Mo (20) on charges including violation of the Communication Network Act.
Ransomware is a malicious program that combines the words 'ransom' and 'software,' which locks systems or encrypts data to make them unusable and then demands money. Gandcrab is a type of ransomware that was distributed worldwide from 2018 until May 2019.
Yoo is accused of preparing 95 internet domain addresses to impersonate police stations and other institutions, and from February to June 2019, receiving ransomware from accomplices and sending Gandcrab ransomware disguised as 'attendance notices' via email 6,486 times. The national institutions Yoo impersonated include police stations 6,455 times, the Constitutional Court 8 times, and the Bank of Korea 2 times.
When a specific person was infected by the ransomware sent in this way, Yoo encrypted files such as documents and photos and demanded the transfer of virtual currency worth about $1,300 as a restoration fee. If the victim paid the restoration fee, the ransomware developer received it and, through brokers, sequentially passed 7% of the criminal proceeds to the distributor. The police have identified that Yoo infected at least 120 people using this method and earned about 12 million KRW in criminal proceeds.
Yoo carefully evaded investigation by laundering IP addresses through multiple countries and receiving criminal proceeds in virtual currency, but was eventually caught due to the police's persistent tracking. Over more than two years, the police conducted international joint investigations with 10 countries, analyzing 30 million virtual currency transaction flows and 27,000 communication records. Through this, they succeeded in seizing the internet domain addresses and emails Yoo purchased for impersonation and were able to identify him. The police are tracking the accomplice who developed the ransomware together with the International Criminal Police Organization (ICPO, Interpol).
The police urged, "If you receive suspicious emails, please be careful never to click on attachments until safety is confirmed and follow the damage prevention guidelines."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
