Skip links

Europol shutters ransomware operation with kingpin arrests

International law enforcement investigators have made a number of high-profile arrests after tracking a major cybercrime group for more than four years.

A joint investigation team (JIT), spearheaded by French authorities, formed in 2019 to bring down a ransomware group linked to major attacks across the world.

Announcing the news today, Europol said that five individuals were arrested, including the 32-year-old leader of the group and four of its “most active accomplices.”

Thirty properties in Ukraine were raided on November 21 across the Kyiv, Cherkasy, Rivne, and Vinnytsia regions. A virtual command post was also established in Europol’s Netherlands headquarters where data taken from the property raids was analyzed “immediately.”

Ukrainian National Police raid properties in search for the cybercriminals. Image courtesy of Europol.

Ukrainian National Police raid properties in search of the cybercriminals. Image courtesy of Europol

Europol said today in a press release that the arrests led to the “dismantlement” of the group.

However, a spokesperson told The Register that “there are still a few members which are being sought after, but they’re of lesser importance.”

The arrests follow 12 that were made in 2021, two years after the JIT was first assembled. Members of the same group were arrested in Ukraine and Switzerland, and key electronic devices were seized for forensic analysis, along with $52,000 in cash and five luxury vehicles.

The seizure of the electronic devices and their subsequent analysis led to the identification of the key members arrested last week.

Europol said “a number of operational sprints [had] been organized,” heavily involving the Norwegian authorities over the past two years to analyze the devices.

Asked why the arrests have come so long after the initial seizure, a spokesperson told The Register that it takes time to gather enough evidence to prosecute cybercriminals.

“As always with investigations as well, there’s a strategy to try, we might have identified these members, but we were continuing to build the picture,” they said.

“Whenever you do all the forensic work, you uncover other leads, but open up the investigation that feeds into other existing investigations. That’s why we were only able to do the second round of actions now.”

Also contributing to the two-year delay was the war in Ukraine starting in 2022, shortly after the seizures were made. Europol believes this didn’t slow investigations down at all, but the operation had to be reorganized.

Who’s been cuffed?

The names of those arrested have not been released and the ransomware group itself doesn’t behave like LockBit, AlphV/BlackCat or Rhysida. The cybercriminals were well-resourced and used multiple different strains to attack their targets.

These included LockerGoga, MegaCortex, Hive, and Dharma. Europol said the group had attacked more than 250 servers belonging to organizations in 71 countries, netting the group hundreds of millions of euros in the process.

The group isn’t tracked with a moniker, as many repeat offenders are, but it is responsible for major historical attacks, perhaps most notably the ransomware incident at Norsk Hydro.

It was also responsible for the attack on French consultancy Altran, which is now known as Capgemini Engineering following a 2019 acquisition.

The spokesperson said the arrested cybercriminals were not core members of any of the organizations behind the ransomware strains they used. However, they were on the radar of law enforcement for their involvement in numerous other incidents under separate investigations.

Members all had different roles within the group. Some were responsible for the actual intrusion into victims’ systems, while others specialized in areas such as money laundering – a branch of ransomware operations that’s also under close examination by global authorities.

“Those responsible for breaking into networks did so through techniques including brute force attacks, SQL injections, and sending phishing emails with malicious attachments in order to steal usernames and passwords,” Europol said.

“Once inside the networks, the attackers remained undetected and gained additional access using tools including TrickBot malware, Cobalt Strike, and PowerShell Empire, in order to compromise as many systems as possible before triggering ransomware attacks.” ®