A Polish national using the online name "Armaged0n" has been arrested by the Polish Police, in cooperation with the Belgian Federal Police and Europol on suspicion of having used ransomware to encrypt several thousand computers in a series of online attacks on various Polish companies between 2013 and 2018.
The detainee faces 181 charges including money laundering and computer fraud. The Warsaw District Prosecutor's Office and the Polish Police National Headquarters report that the suspect went into hiding in Belgium, but was then arrested on 14 March 2018 when trying to enter Poland.
Ransomware campaigns were conducted every three to four weeks, delivered via emails impersonating official correspondence from well-known companies, including telecommunication providers, retailers and banks. Once installed on victims' computers the malware encrypted the victim's files and demanded a ransom payment of £150 to £300 for decryption. Proceeds were put into cryptocurrencies.
Bleeping computer names the suspect as Tomasz T and says he is a well-known cyber-criminal believed to be the author of the Polski, Vortex, and Flotera ransomware strains.
Europol, which supported the investigation with analytical support and facilitating information exchange, reports that the suspect also infected computer systems with a virus that stole bank account login credentials previously copied to the clipboard without the victim's knowledge. He then wired money online to accounts he controlled before using pre-paid payment cards to cash out the profits.
The Polish Police have reportedly developed a decryption tool for the "Armaged0n" ransomware and victims are urged to contact their nearest police station.