Police Bust Suspected Ransomware Group Ringleader in Ukraine

Police have arrested a group of criminals in Ukraine who they suspect launched ransomware attacks against large organizations based in more than 70 different countries.

See Also: Live Webinar | Generative AI: Myths, Realities and Practical Use Cases

The EU’s law enforcement agency, Europol, which has helped coordinate the investigation, said in a Tuesday statement that the suspects have been accused of encrypting over 250 servers, using such strains of crypto-locking malware as Dharma, Hive, LockerGoga and MegaCortex, among others.

Tthe group has been tied to attacks that “affected over 1,800 victims in 71 countries,” and demanded ransom payoffs that collectively totaled at least several hundreds of millions of dollars, Eurojust, the EU agency for criminal justice cooperation, which helped coordinate the ongoing operation, said in a statement.

Europol said the criminals often targeted large companies, seeking bigger ransom payoffs – known as big-game hunting – and operated from the Ukrainian capital of Kyiv since before Russia launched its all-out war of conquest in February 2022.

As of September 2022, authorities reported that the group was defunct.

Recently, more than 20 investigators from a number of countries deployed to Ukraine – including from Norway, France, Germany and the United States – to Ukraine to assist in the investigation. On Nov. 21, Ukrainian police searched 30 properties in the regions of Kyiv, Cherkasy, Rivne and Vinnytsia, seized more than 100 digital devices and arrested the group’s alleged 32-year-old ringleader, who authorities have not named. Police also detained four alleged accomplices.

The arrests come as part of an ongoing operation launched by France in 2019, working with Norway, France, the U.K. and Ukraine. Their probe has run in in parallel to Dutch, German, Swiss and U.S. authorities – including the FBI and U.S. Secret Service – each running their own, independent investigations into the group.

Europol said the latest searches and arrests built in part on digital forensic evidence gathered after a first round of arrests in the ongoing operation in October 2021, when police detained 12 “high-value targets” in both Ukraine and Switzerland.

Authorities believe different members of the group served different roles, with some appearing to specialize in penetrating victims’ networks, while others handled money laundering for cryptocurrency ransoms victims paid in exchange for the promise of a decryptor.

The group used a variety of tactics to penetrate victims’ networks, including SQL injection attacks, brute-force password cracking and running phishing campaigns designed to steal valid usernames and passwords, police said.

“Once inside the networks, the attackers remained undetected and gained additional access using tools including TrickBot malware, Cobalt Strike and PowerShell Empire, in order to compromise as many systems as possible before triggering ransomware attacks,” Europol said (see: Block This Now: Cobalt Strike and Other Red-Team Tools).

Swiss authorities, working with Romanian cybersecurity firm Bitdefender, last year published free decryptors to the public/private No More Ransom portal, using digital forensic evidence gathered during the operation. Police said the decryptors can decrypt variants of the LockerGoga and MegaCortex ransomware used by the Ukrainian group to encrypt some victims’ systems (see: LockerGoga Victims Get Free Decryptor; Police Recovered Keys).