Earlier this month, the ransomware suspect known as Pornopoker was arrested at the Domodedovo International Airport near Moscow for suspicion of distribution of ransomware. While the ransomware writer’s official name has not been released, it is known that he is a 40-year old resident of Volgograd, located in southeast Russia. Upon returning from Thailand where it was believed the suspect and his spouse were hiding, Pornopoker was nabbed by Russian police and taken in for investigation. It is reported that the suspect worked with an accomplice, which has also been arrested; however, no other details have been provided on the accomplice.
Russia’s Ministry of Internal Affairs released a statement noting the suspects had created scripts that, if infected, resulted in pop-up messages appearing to be from Russian authorities and claiming the computer had been blocked for ransom for viewing pornographic images or websites. The messaging noted that the user must pay a fine to recover access to the computer.
Following the arrest, the suspect confessed to the illegal activities and voluntarily turned over all computer equipment, memory cards, and bank cards associated with the activity. In return, SC Magazine reported Pornopoker has now been placed under house arrest.
Like reported yesterday with the malware distribution take-down of Avalanche, there seems to be a common theme with cyber criminals posing as government agencies. Investigation into the Avalanche malware distribution operation began in 2012 after discovering the ransomware family, Ransomlock.P, which posed as police in the ransom messaging of the infected computer. As reported, the FBI has announced they have performed a successful coordinated operation to take down this criminal network.