An international law enforcement operation [1] [3] [7] [8], led by Europol and the European Union Agency for Criminal Justice Cooperation [7], has successfully dismantled a ransomware group in Ukraine responsible for high-profile attacks on corporations worldwide [4].

Description

The operation involved authorities from France [2] [3] [8], Germany [1] [2] [3] [6] [8], the Netherlands [2] [3] [6], Norway [1] [2] [3] [6] [8], Switzerland [2] [3] [6] [8], Ukraine [1] [2] [3] [4] [5] [6] [7] [8], and the US and resulted in the arrest of a 32-year-old suspected ringleader and four accomplices. These individuals are linked to ransomware families such as Hive [2], LockerGoga [1] [2] [3] [4] [5] [6] [7] [8], MegaCortex [1] [2] [3] [4] [5] [6] [7] [8], and Dharma [1] [2] [3] [4] [5] [6] [7] [8]. The investigation revealed that the group operated as affiliates [3], using various ransomware strains [3] [4] [6] [7]. The suspects had different roles within the group [4] [6], with some compromising IT networks and others laundering cryptocurrency payments [4]. They targeted over 1,800 victims across 71 countries since 2019 [2] [3], using brute-force attacks [1] [2] [3] [5] [6] [8], SQL injections [2] [3] [5] [6] [8], and phishing emails to steal credentials [2]. The attackers deployed malware such as TrickBot [2], Cobalt Strike [2] [3] [5] [6] [8], and PowerShell Empire to encrypt victims’ files [2] [3]. The cybercrime network also handled cryptocurrency payments made by victims [2]. The investigation revealed losses exceeding several hundreds of millions of euros [2] [8]. The Cyber Police of Ukraine played a crucial role in the takedown, disclosing that the criminals encrypted over 1,000 servers and caused damages exceeding $82 million [4]. This development follows recent successful efforts to dismantle other cybercrime networks involved in voice phishing and ransomware attacks [3]. As a result of Europol’s investigation, decryption tools for LockerGoga and MegaCortex were developed in collaboration with Bitdefender and the No More Ransom project [1], enabling victims to recover their files without paying a ransom [1]. The operation, spanning four years, led to raids at 30 properties in Ukraine and the creation of decryptors for LockerGoga and MegaCortex by Swiss authorities in collaboration with No More Ransom and Bitdefender. Ransomware attacks are on the rise [4], with a record number of 514 victims in September alone [4]. The arrests were the result of a four-year investigation by European and US law enforcement agencies [6]. The investigation involved the seizure of devices and forensic analysis [6], enabling the identification of the individuals arrested [6]. The hackers used various techniques to gain initial access to targeted networks [6], including brute-force attacks [1] [2] [3] [6] [8], SQL injections [2] [3] [5] [6] [8], and phishing emails [2] [3] [5] [6]. Once inside the networks [6], they used tools such as TrickBot malware [6], Cobalt Strike [2] [3] [5] [6] [8], and PowerShell Empire to compromise systems before launching ransomware attacks [6]. The investigation also led to the development of decryption tools for LockerGoga and MegaCortex ransomware variants by Swiss authorities [6], No More Ransom [1] [5] [6], and Bitdefender [1] [5] [6]. Ransomware attacks continue to be a significant problem globally [6], with a recent report showing a significant increase in frequency [6]. International cooperation in combating cyber threats [6], including ransomware [3] [6], remains strong [6], with countries such as Ukraine [6], Norway [1] [2] [3] [6] [8], France [1] [2] [3] [6] [8], Germany [1] [2] [3] [6] [8], Switzerland [2] [3] [6] [8], and the Netherlands participating in this operation [6]. The International Counter Ransomware Initiative [6], launched in 2021 [6], now has 50 members [6].

Conclusion

The successful dismantling of the ransomware group in Ukraine has had significant impacts, including the arrest of the suspected ringleader and accomplices, the development of decryption tools for LockerGoga and MegaCortex [1] [6], and the recovery of victims’ files without paying a ransom. The operation highlights the importance of international cooperation in combating cyber threats and the ongoing efforts to mitigate the increasing frequency of ransomware attacks. The International Counter Ransomware Initiative [6], with its growing membership, demonstrates the commitment of countries to address this global problem.

References

[1] https://techcrunch.com/2023/11/28/europol-hackers-ransomware-lockergoga-hive/
[2] https://owasp.or.id/2023/11/28/key-cybercriminals-behind-notorious-ransomware-families-arrested-in-ukraine/
[3] https://thehackernews.com/2023/11/key-cybercriminals-behind-notorious.html
[4] https://uk.pcmag.com/security/149895/police-bust-ransomware-gang-in-ukraine-for-attacking-1800-victims
[5] https://www.infosecurity-magazine.com/news/ukraine-police-dismantle/
[6] https://securityboulevard.com/2023/11/ringleader-of-ransomware-group-in-ukraine-arrested-europol/
[7] https://siliconangle.com/2023/11/28/europol-led-operation-results-arrest-alleged-ransomware-gang-ukraine/
[8] https://www.techtarget.com/searchSecurity/news/366561297/Europol-Ukraine-police-arrest-alleged-ransomware-ringleader