Pierluigi Paganini
November 28, 2023
A joint law enforcement operation led by Europol and Eurojust, with the support of the police from seven nations, has arrested in Ukraine the core members of a ransomware group.
Today EUROPOL in conjunction with the Ukraine National Police arrested individuals operating a ransomware group out of Ukraine. The group is believed to be behind the ransoming of 'over 1,000 servers'.
— vx-underground (@vxunderground) November 28, 2023
They released footage of some of the arrests pic.twitter.com/9oIF5H6nAn
The police arrested the kingpin along with four other suspects in Ukraine. A total of 30 places were searched and over a hundred digital equipment tools were seized.
The group targeted organizations in 71 countries using multiple ransomware families, including LockerGoga, MegaCortex, HIVE, and Dharma. The ransomware group targeted large corporations causing losses of at least several hundred million euros.
“Judicial and law enforcement authorities from seven different countries have joined forces in an action against a criminal network responsible for significant ransomware attacks across the world. These attacks are believed to have affected over 1,800 victims in 71 countries.” reads the press release published by Eurojust.
🌐 Int'l collaboration leads to the dismantlement of ransomware group in
— Europol (@Europol) November 28, 2023amidst ongoing war.
⚠️ The unprecedented effort brought law enforcement & judicial authorities from 7 countries together with Europol & @Eurojust to apprehend key players.
➡️ https://t.co/U07E85aaKm pic.twitter.com/trFzZNeozz
According to Eurojust, a team composed of more than 20 investigators from Norway, France, Germany and the United States worked in Kyiv to assist the Ukrainian authorities. This operation is considered the follow-up of another operation that was conducted by law enforcement in 2021.
The suspects played different roles in the criminal network. Some were involved in the infiltration attempts with multiple means, from phishing emails to malware. Once gained access to the target’s network, the attackers deployed malware such as Trickbot, or post-exploitation frameworks such as Cobalt Strike or PowerShell Empire.
“After remaining undetected in the compromised systems, sometimes for months, the criminals would deploy different types of ransomware, such as LockerGoga, MegaCortex, HIVE or Dharma. A ransom note was then presented to the victim to pay the attackers in bitcoin in exchange for decryption keys.” concludes the press release.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, ransomware group)
