The Department of Justice sentenced 41-year-old Oleg Koshkin to two years in prison for his work in helping to "conceal" the Kelihos malware and other ransomware from antivirus software. He was facing up to 15 years in prison.
According to the DOJ, Koshkin ran Crypt4U.com, Crypt4U.net, fud.bz and fud.re, websites that helped hackers evade "nearly every major provider of antivirus software." The tools allegedly enabled malware like Kelihos and others to be undetectable.
Koshkin was arrested in California in September 2019 and transported to Connecticut for his trial before being convicted in June on one count of conspiracy to commit computer fraud and abuse and one count of computer fraud and abuse.
He was arrested in conjunction with Peter Levashov, the operator of the Kelihos botnet who lived in Estonia. Levashov was detained in Barcelona before being extradited to the US and pleading guilty to a federal charge. His sentencing is next year.
Acting US Attorney Leonard Boyle said Koshkin's websites "provided a vital service to cybercriminals, allowing them to hide their malware from antivirus programs and use it to infect thousands of computers all over the world." Assistant Attorney General Kenneth Polite Jr. said he "provided a critical service used by cybercriminals to evade one of the first lines of cybersecurity defense, antivirus software."
"Cybercriminals depend on services like these to infect computers around the world with malware, including ransomware," Polite Jr. said.
The DOJ said Koshkin and others marketed their websites by claiming they could be used for malware such as botnets, remote access trojans, keyloggers, credential stealers, and cryptocurrency miners.
"The criminal nature of the Crypt4U service was a clear threat to the confidentiality, integrity, and availability of computer systems everywhere," FBI agent David Sundberg said in June.
Koshkin helped Levashov crypt the Kelihos malware multiple times each day through a system the two created and allowed him to distribute the malware through multiple criminal affiliates.
"The Kelihos botnet was used by Levashov to send spam, harvest account credentials, conduct denial of service attacks, and to distribute ransomware and other malicious software," the DOJ said.
"According to evidence presented at Koshkin's sentencing, Kelihos relied on the crypting services provided by Crypt4U from 2014 until Levashov's arrest in April 2017, and just in the last four months of that conspiracy. Kelihos infected approximately 200,000 computers around the world."
The DOJ said in their lawsuit that Levashov paid Koshkin $3,000 per month for his services. At its peak, the Kelihos botnet was able to infect at least 50,000 PCs and survived multiple attempts by law enforcement to disrupt it.
In 2017, the FBI, security company Crowdstrike and the Department of Justice started blocking domains associated with the Kelihos botnet, one of the most prolific networks of hacker-controlled computer systems in the world.
The network of infected Windows machines was known to send spam emails, distribute ransomware and malware, harvest usernames and passwords and engage in Bitcoin theft and spamming.
Levashov is reported to have operated multiple botnets since the 1990s, including Kelihos, Storm, and Waledac.