In a collaborative effort between law enforcement agencies in Europe and the US, Ukrainian authorities have apprehended five key individuals involved in the ransomware network, including an alleged ringleader.
The arrests took place on 21 November as part of a synchronized operation targeting 30 properties in Kyiv, Cherkasy, Rivne, and Vinnytsia. These individuals are accused of deploying ransomware lockers such as LockerGoga, MegaCortex, Hive, and Dharma on the networks of various corporate victims across more than 70 countries.
Europol, the European Union agency that coordinated the operation, stated that these arrests are particularly significant as they come at a crucial time, with Russia’s war on Ukraine in its second year. The operation is the result of a multi-year effort, initiated by French authorities and involving a joint investigation team (JIT) between Norway, France, the United Kingdom, and Ukraine. Financial support from Eurojust and assistance from multiple agencies were instrumental in the success of the operation.
Prior to the recent arrests, a previous round of apprehensions in 2021 allowed forensic analysis to identify and target the suspects. Collaboration with organizations like NoMoreRansom and Bitdefender also led to the development of free decryptors for LockerGoga and MegaCortex ransomware.
The individuals arrested had various roles within the ransomware ecosystem. Some were directly involved in infiltrating and compromising victims’ systems through techniques like brute force attacks, SQL injection, phishing, and social engineering. They employed tools like TrickBot malware, Cobalt Strike, and PowerShell Empire to maintain persistence and execute ransomware attacks. Additionally, some suspects are believed to have facilitated the laundering of cryptocurrency payments received from their victims.
The investigation revealed that these criminals encrypted over 250 servers belonging to large corporations, resulting in losses exceeding several hundred million euros. According to Mandiant’s head of cyber crime analysis, Kimberly Goody, the arrests of individuals associated with significant ransomware incidents sends a strong message that there are consequences for these attacks. These individuals likely served as affiliates or provided support for multiple ransomware services, and disrupting their operations can temporarily hinder their activities.
Goody also noted that the ransomware variants LockerGoga and MegaCortex, as well as the tactics described by Europol, align with the activities of an actor known as FIN6, associated with high-profile ransomware attacks like Maze and Ryuk. However, due to the complex nature of the cyber crime landscape and the challenges of attribution, a direct connection to the recent arrests cannot be definitively established.
