European authorities have busted up a Ukraine-based ransomware gang responsible for “hundreds of millions of euros” of damage to companies around the world.
Ukrainian police recently raided 30 premises across the war-torn country, arresting five men including the gang’s alleged ringleader.
During the Ukrainian raids on homes and vehicles, police seized computers, cars, SIM cards, banking cards, dozens of storage drives, and around $160,000 worth of cryptocurrency.
The arrests followed an international effort that Europol co-ordinated between law enforcement agencies in affected countries.
“Attackers have attacked the world's most powerful companies in France, Norway, Germany, the Netherlands, Canada and the United States since 2018,” Yurii Vykhodets, head of the Cyber Police Department, said in a statement.
“As a result of many months of painstaking work, Ukrainian law enforcement officers – with the assistance of colleagues from the United States, Norway, the Netherlands, Germany and France – identified the 32-year-old leader of the hacker group and his four most active accomplices.”
The gang reportedly had over 1,000 corporate victims, according to Ukrainian police, and was responsible for hundreds of millions of dollars in damage to affected businesses.
Its members developed and deployed the LockerGoga, MegaCortex, Hive, and Dharma ransomware strains.
LockerGaga ransomware shut down Norwegian aluminium producer Norsk Hydro back in 2019 in an attack that moved from computers in the company’s US arm to its aluminium plants in Norway.
Earlier this year, the US Department of Justice announced it had disrupted the Hive ransomware including by hacking into the machines of its operators, stealing decryption keys, and handing them out to victims.
Hive had reportedly been responsible for over $140 million of ransom payments.
According to Europol, the suspects each played a different role in the way the ransomware group operated.
“Some of the them are thought to be involved in compromising the IT networks of their targets, while others are suspected of being in charge of laundering cryptocurrency payments made by victims to decrypt their files,” Europol said.
“Those responsible for breaking into networks did so through techniques including brute force attacks, SQL injections and sending phishing emails with malicious attachments in order to steal usernames and passwords.
“Once inside the networks, the attackers remained undetected and gained additional access using tools including TrickBot malware, Cobalt Strike and PowerShell Empire, in order to compromise as many systems as possible before triggering ransomware attacks.”
Today EUROPOL in conjunction with the Ukraine National Police arrested individuals operating a ransomware group out of Ukraine. The group is believed to be behind the ransoming of 'over 1,000 servers'.
— vx-underground (@vxunderground) November 28, 2023
They released footage of some of the arrests pic.twitter.com/9oIF5H6nAn
It’s not the first time a cross-border law enforcement operation has busted up a ransomware gang – and it’s unlikely to be the last.
Back in 2021, Ukrainian police arrested six members of the infamous Clop ransomware gang that had been terrorising organisations around the world, including a NSW government agency.
That same year, South Korean, Polish, and Romanian authorities arrested members of the notorious REvil gang, nabbing one of its core members and the perpetrator of a supply chain attack that led to a mass ransomware event.
The Australian government has been trying to shore up against local ransomware attacks that continue to devastate local businesses.
In its latest cyber security strategy, the Commonwealth stopped shy of banning ransomware payments, looking instead to improve education and threat sharing capabilities between affected organisations.