Security news that informs and inspires

International Operation Leads to Ransomware Ringleader Arrest

By

Law enforcement agencies from seven countries, along with Europol and Eurojust, have arrested several high-ranking members of a ransomware group responsible for attacks against organizations in 71 countries.

In a series of raids across Ukraine, the agencies apprehended several individuals that allegedly belong to the group, which has encrypted over 250 servers and cost large corporations several hundreds of millions of euros. Europol said they have targeted several large corporations with ransomware like LockerGoga, MegaCortex, Hive and Dharma.

“On 21 November, 30 properties were searched in the regions of Kyiv, Cherkasy, Rivne and Vinnytsia, resulting in the arrest of the 32-year-old ringleader,” according to Europol’s Tuesday press release. “Four of the ringleader's most active accomplices were also detained.”

This latest action follows up on a previous international operation in 2021 led by Europol that resulted in the arrest of 12 people in Ukraine and Switzerland, in connection with cyberattacks against critical infrastructure entities that leveraged these same ransomware variants.

Europol’s announcement gives an inside look into the level of work and organization behind the scenes for ransomware groups. The suspects allegedly had various roles, with some in charge of initially compromising IT networks, and others working to launder cryptocurrency ransom payments that were made by the victims.

“Those responsible for breaking into networks did so through techniques including brute force attacks, SQL injections and sending phishing emails with malicious attachments in order to steal usernames and passwords,” according to Europol's release. “Once inside the networks, the attackers remained undetected and gained additional access using tools including TrickBot malware, Cobalt Strike and PowerShell Empire, in order to compromise as many systems as possible before triggering ransomware attacks.”

"Threat actors commonly partner with different actors over time to perform certain aspects of a compromise, such as initial access or money laundering, which is likely the case of at least some of these suspects."

Kimberly Goody, head of cybercrime analysis with Google Cloud's Mandiant team, said that when cybercriminals initially moved away from mass distributed ransomware attacks to instead carry out more targeted, post-compromise ransomware deployments, LockerGoga and Megacortex were some of the earlier variants that they used.

These variants have been used to target organizations in the healthcare sector and other critical industries, said Goody. The individuals under investigation, meanwhile, may have been affiliates associated with various ransomware services, or they may have served in supporting functions for multiple groups.

"Some of the TTPs described in the press release align with activity we have historically attributed to a FIN6-affiliated actor including the use of Trickbot and Lockergoga, however, given the complexities and interdependence of the cyber crime ecosystem we cannot confirm at this time whether this law enforcement action is associated with this threat actor," said Goody.

The operation also highlights the strong web of international partnerships that have been developed to tackle ransomware. The authorities participating in the operation included ones from Norway, France, the Netherlands, Ukraine, Germany, Switzerland and the U.S., with more than 20 investigators from different countries being deployed directly to Kyiv to help the Ukrainian National Police.

The partnering forces worked together during operational meetings that included digital forensic, cryptocurrency and malware analysis and information exchange. This forensic analysis also allowed the Swiss authorities (alongside Bitdefender and the No More Ransom Project) to develop decryption tools for the LockerGoga and MegaCortex ransomware families, which were released in September 2022 and January 2023, respectively.

"This deals a blow to the operations and should be celebrated as such, but also should not be confused or conflated with the overall eradication of the named threats."

“Initiated by the French authorities, a joint investigation team (JIT) was set up in September 2019 between Norway, France, the United Kingdom and Ukraine, with financial support from Eurojust and assistance from both Agencies,” according to Europol. “The partners in the JIT have since been working closely together, in parallel with the independent investigations of the Dutch, German, Swiss and U.S. authorities, to locate the threat actors in Ukraine and bring them to justice.”

As for the impact of this operation, Goody said that arrests of individuals associated with ransomware activity sends "a clear message that there will be consequences for these attacks."

"Threat actors commonly partner with different actors over time to perform certain aspects of a compromise, such as initial access or money laundering, which is likely the case of at least some of these suspects," said Goody. "Breaking one link in their organizational cycle can cause significant - albeit temporary - disruptions to these groups, as identifying, vetting and trusting new partners can be challenging in the criminal world."

The arrests are also significant because they include operators that have been involved with high-profile ransomware operations like Hive, as well as very long-lived operations like Dharma, which has been active since 2016, said Alex Delamotte and Jim Walter, senior threat researchers at SentinelOne's SentinelLabs.

"In the broader context, it should be noted that this large, ongoing effort, is chipping away at the structure of an affiliate group (or groups) associated with the deployment and use of these tools (TrickBot, Hive, Crysis, etc.)," said Delamotte and Walter. "This deals a blow to the operations and should be celebrated as such, but also should not be confused or conflated with the overall eradication of the named threats."