Ukrainian ransomware gang behind high-profile attacks dismantled

Law enforcement and judicial authorities from seven countries have joined forces with Europol and Eurojust to dismantle and apprehend in Ukraine key figures behind significant ransomware operations.

On 21 November, 30 properties were searched in the regions of Kyiv, Cherkasy, Rivne and Vinnytsia, resulting in the arrest of the ringleader. Four of the ringleader’s most active accomplices were also detained.

More than 20 investigators from Norway, France, Germany and the United States were deployed to Kyiv to assist the Ukrainian National Police with their investigative measures. This set-up was mirrored from Europol’s headquarters in the Netherlands, where a virtual command post was activated to immediately analyse the data seized during the house searches in Ukraine.

Dangerous, elusive and versatile

The individuals under investigation are believed to be part of a network responsible for high-profile ransomware attacks against organizations in 71 countries.

These cyber actors are known for targeting large corporations, effectively bringing their businesses to a standstill. They deployed LockerGoga, MegaCortex, HIVE, and Dharma ransomware, among others, to carry out their attacks.

The suspects had different roles in this criminal organization. Some of them are thought to be involved in compromising the IT networks of their targets, while others are suspected of being in charge of laundering cryptocurrency payments made by victims to decrypt their files.

Those responsible for breaking into networks did so through techniques including brute force attacks, SQL injections, and sending phishing emails with malicious attachments to steal usernames and passwords.

Once inside the networks, the attackers remained undetected and gained additional access using tools, including TrickBot malware, Cobalt Strike, and PowerShell Empire, to compromise as many systems as possible before triggering ransomware attacks.

The investigation determined that the perpetrators encrypted over 250 servers belonging to large corporations, resulting in losses exceeding several hundreds of millions of euros.