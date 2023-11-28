In an unprecedented operation led by law enforcement agencies from seven countries, a major ransomware group responsible for attacks in 71 countries has been dismantled, putting an end to their reign of cybercrime. Europol and Eurojust played crucial roles in this successful collaborative effort, which resulted in the arrests of the core members of the criminal network in Ukraine.

The group targeted organizations worldwide, crippling their operations with various types of ransomware, including LockerGoga, MegaCortex, HIVE, and Dharma. Rather than relying on a single modus operandi, the cybercriminals employed a range of tactics: some infiltrated IT networks, while others facilitated the laundering of cryptocurrency payments made by victims to regain access to their encrypted files.

Their methods of breaching networks involved stealing user credentials through brute force and SQL injection attacks, as well as utilizing phishing emails containing malicious attachments. Once inside the targeted systems, they utilized sophisticated tools like TrickBot malware, Cobalt Strike, and PowerShell Empire to move laterally and compromise other interconnected systems, before finally deploying the ransomware payloads they had prepared in advance.

The investigation revealed that this organized group of affiliates encrypted more than 250 servers operated by major corporations, resulting in financial losses that exceeded several hundred million euros. These staggering figures underscore the significant impact their criminal activities had on the global economy.

On November 21st, a series of coordinated raids across multiple cities in Ukraine led to the apprehension of the 32-year-old mastermind and four of his accomplices. Norway, France, Germany, and the United States also provided crucial assistance to the Ukrainian National Police during the investigation. Europol established a virtual command center in the Netherlands to handle the vast amount of data seized during the searches.

The comprehensive operation followed earlier arrests made in 2021, as authorities continued to uphold the same law enforcement initiative. These previous detentions involved 12 individuals connected to ransomware attacks that affected 1,800 victims across 71 countries.

Two years ago, initial findings from the investigation had already identified LockerGoga, MegaCortex, and Dharma ransomware as the weapons of choice for the cybercriminal group. Additionally, they had employed malware tools such as Trickbot and post-exploitation utilities like Cobalt Strike in their nefarious activities. Subsequent efforts by Europol and Norwegian authorities focused on analyzing the data retrieved from devices seized in Ukraine earlier this year, leading to the identification and arrest of additional suspects in Kyiv.

The roots of this international police operation can be traced back to September 2019, when French authorities initiated the action. The primary objective was to locate and bring to justice the threat actors operating within Ukraine. A joint investigation team, consisting of Norway, France, the United Kingdom, and Ukraine, supported by Eurojust and collaborating with Dutch, German, Swiss, and U.S. authorities, laid the groundwork for this comprehensive operation.

The participating law enforcement agencies include the National Criminal Investigation Service of Norway, the Public Prosecutor’s Office of Paris and the National Police in France, the National Police and National Public Prosecution Service in the Netherlands, the Prosecutor General’s Office and National Police of Ukraine, the Public Prosecutor’s Office of Stuttgart and Police Headquarters Reutlingen CID in Germany, the Swiss Federal Office of Police, Polizei Basel-Landschaft, the Public Prosecutor’s Office of the canton of Zurich, Zurich Cantonal Police in Switzerland, and the United States Secret Service and Federal Bureau of Investigation in the United States. Europol’s European Cybercrime Centre (EC3) and Eurojust have been pivotal in facilitating this multi-country collaboration.

With the successful dismantling of this international ransomware syndicate, law enforcement agencies have sent a clear message to cybercriminals that their operations will not go unpunished. Through continued collaboration and innovative investigative techniques, such police actions will play a vital role in curbing the growing threat of cybercrime.

Frequently Asked Questions (FAQ)

What is ransomware?

Ransomware is a type of malicious software that encrypts files on a victim’s computer or network, rendering them inaccessible until a ransom is paid to the attacker. It is a highly profitable form of cybercrime that has become increasingly prevalent in recent years.

What kinds of ransomware did this group use?

The criminal network targeted organizations using a variety of ransomware strains, including LockerGoga, MegaCortex, HIVE, and Dharma. These types of ransomware are known for their sophisticated encryption capabilities and ability to cause significant disruption to the operations of targeted entities.

How did this group gain access to their targets’ networks?

The cybercriminals employed multiple methods to breach their targets’ systems. They utilized techniques such as stealing user credentials through brute force and SQL injection attacks. Additionally, they relied on the distribution of phishing emails containing malicious attachments to trick unsuspecting victims into downloading malware onto their devices.

What tools did the attackers use to carry out their operations?

The criminals made use of various tools to facilitate their attacks. Notable examples include TrickBot malware, Cobalt Strike, and PowerShell Empire. These tools enabled the attackers to move laterally within compromised networks and deploy ransomware payloads to encrypt files on targeted systems.

Which countries were involved in dismantling this criminal network?

The law enforcement operation involved agencies from seven countries: Norway, France, the Netherlands, Ukraine, Germany, Switzerland, and the United States. Each country played a crucial role in the collaborative effort to locate and apprehend the members of the ransomware group.