Ransomware gang dismantled in unprecedented police operation

A combined operation by law enforcement agencies across the world has smashed a major ransomware gang which had costs major corporations hundreds of millions of euros.

In what has been described as “an unprecedented effort”, law enforcement and judicial authorities from seven countries joined forces with Europol and Eurojust to dismantle and apprehend key figures behind significant ransomware operations wreaking havoc across the world. The operation, carried out in Ukraine comes at a critical time, as the country grapples with the challenges of Russia’s military aggression against its territory.

Earlier this month 30 properties were searched in the regions of Kyiv, Cherkasy, Rivne and Vinnytsia, resulting in the arrest of the 32-year-old ringleader. Four of the ringleader’s most active accomplices were also detained.

More than 20 investigators from Norway, France, Germany and the United States were deployed to Kyiv to assist the Ukrainian National Police with their investigative measures. This set-up was mirrored from Europol’s headquarters in the Netherlands where a virtual command post was activated to immediately analyse the data seized during the house searches in Ukraine.

“This latest action follows a first round of arrests in 2021 in the framework of the same investigation,” a Europol spokesman explained. “Since then, a number of operational sprints have been organised at Europol and in Norway with the aim of forensically analysing the devices seized in Ukraine in 2021. This forensic follow-up work facilitated the identification of the suspects targeted during the action last week in Kyiv.”

The individuals under investigation are believed to be part of a network responsible for a series of high-profile ransomware attacks against organisations in 71 countries.

“These cyber actors are known for specifically targeting large corporations, effectively bringing their businesses to a standstill,” Europol added. “They deployed LockerGoga, MegaCortex, HIVE and Dharma ransomware, among others, to carry out their attacks.

“The suspects had different roles in this criminal organisation. Some of them are thought to be involved in compromising the IT networks of their targets, while others are suspected of being in charge of laundering cryptocurrency payments made by victims to decrypt their files.”

Those responsible for breaking into networks used a range of techniques including brute force attacks, SQL injections and sending phishing emails with malicious attachments in order to steal usernames and passwords.

Once inside the networks, the attackers remained undetected and gained additional access using tools including TrickBot malware, Cobalt Strike and PowerShell Empire, in order to compromise as many systems as possible before triggering ransomware attacks.

Europol added: “The investigation determined that the perpetrators encrypted over 250 servers belonging to large corporations, resulting in losses exceeding several hundreds of millions of euros.”

From the onset of the investigation, Europol’s European Cybercrime Centre (EC3) hosted operational meetings, providing digital forensic, cryptocurrency and malware support, and facilitating the information exchange in the framework of the Joint Cybercrime Action Taskforce (J-CAT) hosted at Europol’s headquarters.

Europol added the forensic analysis carried out in the framework of this investigation also allowed the Swiss authorities to develop, together with the No More Ransom partners and Bitdefender, decryption tools for the LockerGoga and MegaCortex ransomware variants. These decryptions tools have been made available for free on: www.nomoreransom.org.