International police operation dismantled a prominent Ukraine-based Ransomware group

Pierluigi Paganini November 28, 2023

An international law enforcement operation dismantled the core of a ransomware group operating from Ukraine.

A joint law enforcement operation led by Europol and Eurojust, with the support of the police from seven nations, has arrested in Ukraine the core members of a ransomware group.

The police arrested the kingpin along with four other suspects in Ukraine. A total of 30 places were searched and over a hundred digital equipment tools were seized.

The group targeted organizations in 71 countries using multiple ransomware families, including LockerGoga, MegaCortex, HIVE, and Dharma. The ransomware group targeted large corporations causing losses of at least several hundred million euros. 

“Judicial and law enforcement authorities from seven different countries have joined forces in an action against a criminal network responsible for significant ransomware attacks across the world. These attacks are believed to have affected over 1,800 victims in 71 countries.” reads the press release published by Eurojust.

According to Eurojust, a team composed of more than 20 investigators from Norway, France, Germany and the United States worked in Kyiv to assist the Ukrainian authorities. This operation is considered the follow-up of another operation that was conducted by law enforcement in 2021

The suspects played different roles in the criminal network. Some were involved in the infiltration attempts with multiple means, from phishing emails to malware. Once gained access to the target’s network, the attackers deployed malware such as Trickbot, or post-exploitation frameworks such as Cobalt Strike or PowerShell Empire. 

“After remaining undetected in the compromised systems, sometimes for months, the criminals would deploy different types of ransomware, such as LockerGoga, MegaCortex, HIVE or Dharma. A ransom note was then presented to the victim to pay the attackers in bitcoin in exchange for decryption keys.” concludes the press release.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware group)

you might also like

leave a comment