In a groundbreaking international collaboration, law enforcement agencies from seven countries, working in tandem with Europol and Eurojust, have successfully apprehended the core members of a ransomware group operating out of Ukraine.
This criminal network, responsible for debilitating cyberattacks on organizations in 71 countries, employed notorious ransomware variants such as LockerGoga, MegaCortex, HIVE, and Dharma to disrupt major corporations’ operations.
The criminal roles within the network were diverse, ranging from members breaching IT networks to those aiding in the laundering of cryptocurrency payments received from victims seeking to decrypt their files. The attackers employed various techniques, including brute force and SQL injection attacks to steal user credentials, as well as phishing emails with malicious attachments to gain access to their targets’ networks.
Once inside, the cybercriminals utilized sophisticated tools like TrickBot malware, Cobalt Strike, and PowerShell Empire to move laterally within networks and compromise additional systems before deploying their ransomware payloads. The investigation revealed that this organized group of ransomware affiliates successfully encrypted more than 250 servers of major corporations, resulting in losses exceeding several hundred million euros.
Coordinated Operation Against Ukraine Ransomware Group Involves Raids at 30 Locations
On November 21st, a coordinated operation involving raids at 30 locations in Kyiv, Cherkasy, Rivne, and Vinnytsia led to the arrest of the 32-year-old mastermind and the capture of four accomplices. Over 20 investigators from Norway, France, Germany, and the United States collaborated with the Ukrainian National Police in Kyiv, while Europol established a virtual command center in the Netherlands to process the data seized during the house searches.
This operation builds upon earlier arrests in 2021 related to the same law enforcement action, where 12 individuals linked to ransomware attacks against 1,800 victims in 71 countries were detained. The investigation, initiated by French authorities in September 2019, focused on locating threat actors in Ukraine and bringing them to justice with the support of a joint investigation team comprising Norway, France, the United Kingdom, and Ukraine, with financial backing from Eurojust. The collaboration also involved Dutch, German, Swiss, and U.S. authorities.
Law Enforcement Agencies That Took Part
Participating law enforcement agencies include Norway’s National Criminal Investigation Service (Kripos), France’s Public Prosecutor’s Office of Paris, the Netherlands’ National Police and National Public Prosecution Service, Ukraine’s Prosecutor General’s Office and National Police, Germany’s Public Prosecutor’s Office of Stuttgart and Police Headquarters Reutlingen, Switzerland’s Swiss Federal Office of Police, Polizei Basel-Landschaft, Public Prosecutor’s Office of the canton of Zurich, and Zurich Cantonal Police, the United States Secret Service and Federal Bureau of Investigation, and Europol’s European Cybercrime Centre (EC3) and Eurojust.
This successful international police action marks a significant stride in combating ransomware threats on a global scale.