A joint task force of law enforcement agencies from several countries arrested 12 people in Ukraine and Switzerland in connection with ransomware attacks against critical infrastructure entities, using the LockerGoga, Dharma, and MegaCortex ransomware variants.
As part of the operation, investigators from the Secret Service, FBI, Europol, Swiss Federal Police, National Police of Ukraine, and many other agencies seized five vehicles, $52,000, and a number of electronic devices. Investigators didn’t specify which ransomware group the suspects are associated with, but said they were responsible for attacks on at least 1,800 victims in 71 countries.
This operation is the latest action against ransomware operators by law enforcement agencies, which have gone on the offensive in recent months as high-profile attacks on enterprises, utilities, and critical infrastructure operators have ramped up. Authorities in the United States have taken action against ransomware groups, mainly by recovering some ransom payments and indicting alleged operators. But because many ransomware groups are based in Russia and other countries that are outside the reach of U.S. authorities, direct legal action against them has been difficult.
European authorities have had more success on that front, and the joint task force that executed this latest operation is an example of the cooperative effort that is necessary to disrupt ransomware operations. In all, 50 investigators from 13 separate agencies participated in the investigation and operation, which began in late 2019.
“Once on the network, some of these cyber actors would focus on moving laterally, deploying malware such as Trickbot."
The description of the operation that the suspects were allegedly involved in has the division of labor and specialization that have become the hallmarks of ransomware groups over the last few years.
“The targeted suspects all had different roles in these professional, highly organised criminal organisations. Some of these criminals were dealing with the penetration effort, using multiple mechanisms to compromise IT networks, including brute force attacks, SQL injections, stolen credentials and phishing emails with malicious attachments,” Europol said in a statement.
“Once on the network, some of these cyber actors would focus on moving laterally, deploying malware such as Trickbot, or post-exploitation frameworks such as Cobalt Strike or PowerShell Empire, to stay undetected and gain further access.”
A video of the raids on the suspects’ homes shows investigators seizing dozens of phones, laptops, external hard drives, and other devices, along with U.S. currency, Euros, and other currency. Nearly all ransomware payments are done in cryptocurrency, usually Bitcoin, and authorities said several of the suspects are alleged to have specialized in laundering those payments.
“A number of the individuals interrogated are suspected of being in charge of laundering the ransom payments: they would funnel the Bitcoin ransom payments through mixing services, before cashing out the ill-gotten gains,” Europol said.