A coordinated law enforcement operation has led to the arrest of key individuals in Ukraine who are alleged to be a part of several ransomware schemes.
“On 21 November, 30 properties were searched in the regions of Kyiv, Cherkasy, Rivne, and Vinnytsia, resulting in the arrest of the 32-year-old ringleader,” Europol said in a statement today. “Four of the ringleader’s most active accomplices were also detained.”
The development comes more than two years after 12 people were apprehended in connection with the same operation. The individuals are primarily linked to LockerGoga, MegaCortex, and Dharma ransomware families.
The suspects are estimated to have targeted over 1,800 victims across 71 countries since 2019. They have also been accused of deploying the now-defunct Hive ransomware against high-profile organizations.
Some of the co-conspirators are believed to be involved in penetrating IT networks by orchestrating brute-force attacks, SQL injections, and sending phishing emails bearing malicious attachments in order to steal usernames and passwords.
Following a successful compromise, the attackers stealthily moved within the networks, while dropping additional malware and post-exploitation tools such as TrickBot, Cobalt Strike, and PowerShell Empire to ultimately drop the file-encrypting malware.
The other members of the cybercrime network are suspected to be in charge of laundering cryptocurrency payments made by victims to decrypt their files.
“The investigation determined that the perpetrators encrypted over 250 servers belonging to large corporations, resulting in losses exceeding several hundreds of millions of euros,” Europol said.
The collaborative effort involved authorities from France, Germany, the Netherlands, Norway, Switzerland, Ukraine, and the U.S.
The disclosure comes less than two weeks after Europol and Eurojust announced the takedown of a prolific voice phishing gang by Czech and Ukrainian police that’s believed to have netted millions in illegal profits by tricking victims into transferring funds from their ‘compromised’ bank accounts to ‘safe’ bank accounts under their control.
It also arrives a month after Europol revealed that law enforcement and judicial authorities from eleven countries dismantled the infrastructure associated with Ragnar Locker ransomware and arrested a “key target” in France.