Law enforcement and judicial officials from seven nations have collaborated with Europol and Eurojust in an unprecedented attempt to dismantle and capture the players behind major ransomware operations that were inflicting havoc on the global community.
The cybercriminals arrested in Ukraine are linked to ransomware attacks on organizations from over 71 nations.
A 32-year-old mastermind was apprehended after 30 houses in the districts of Kyiv, Cherkasy, Rivne, and Vinnytsia were searched on November 21. His four most active associates were also arrested in the raids.
To support the investigating efforts of the Ukrainian National Police, around twenty investigators from the United States, France, Germany, and Norway were sent to Kyiv, stated Interpol in a press release.
Cybercriminals Arrested in Ukraine
With the intention of forensically analyzing the devices found in Ukraine in 2021, many operational sprints have since been held by Europol and the police in Norway. The identification of the suspects targeted during action last week in Kyiv was made easier by this forensic follow-up investigation.
Investigators believe the people under investigation are part of a network that has launched ransomware attacks on organizations across 71 countries in a number of high-profile cases.
These cybercriminals arrested in Ukraine are renowned for deliberately going after big organizations, essentially stopping operations completely.
To execute their attacks, they used a variety of ransomware, including LockerGoga, MegaCortex, HIVE, and Dharma.
Different roles were played by the suspects in this criminal organization. Some of them are said to be responsible for breaking into their targets’ IT networks, while others are allegedly in charge of laundering the Bitcoin payments that victims make in order to decrypt their files.
Brute force assaults, SQL injections, and sending phishing emails with malicious attachments are some of the strategies used by those who broke into networks to obtain usernames and passwords.
After entering the networks, the attackers stayed hidden and used Cobalt Strike, PowerShell Empire, and TrickBot malware to get more access. Their goal was to infiltrate as many computers as they could before launching ransomware attacks.
According to the inquiry, the cybercriminals arrested in Ukraine had encrypted more than 250 servers owned by major companies, causing losses of several hundred million euros.
International collaboration
A joint investigation team (JIT) comprising Norway, France, the United Kingdom, and Ukraine was established in September 2019 at the behest of the French authorities. The JIT received financial backing from Eurojust and cooperation from both agencies.
Since then, the JIT’s partners have been collaborating closely to identify and apprehend the dangerous actors in Ukraine while running their own independent investigations alongside those of the Dutch, German, Swiss, and American authorities.
The Swiss authorities were able to create decryption tools for the LockerGoga and MegaCortex ransomware versions in collaboration with Bitdefender and the No More Ransom partners thanks to the forensic analysis conducted as part of this investigation. The decryption tools are freely accessible to all.
Participating authorities
Investigative bodies from seven nations were involved in the operation. The organizations are: National Criminal Investigation Service (Kripos) from Norway, Public Prosecutor’s Office of Paris and the National Police from France, National Police, National Public Prosecution Service from the Netherlands, Prosecutor General’s Office, National Police from Ukraine, Public Prosecutor’s Office of Stuttgart, Police Headquarters Reutlingen from Germany, Swiss Federal Office of Police, Polizei Basel-Landschaft, Public Prosecutor’s Office of the canton of Zurich, Zurich Cantonal Police from Switzerland, United States Secret Service and FBI from the US, the Europol and the Eurojust.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.