Ransomware Affiliate Group Dismantled in International Law Enforcement Operation
An international law enforcement operation has led to the arrest of multiple core members of an organized group of ransomware affiliates in Ukraine. The members of the group were behind attacks involving ransomware variants such as LockerGoga, MegaCortex, HIVE, and Dharma, which were used in more than 250 ransomware attacks in large organizations in 71 countries. The attacks conducted by the group resulted in losses of several hundred million dollars.
The group exploited unpatched vulnerabilities, conducted brute force and SQL injection attacks, and also used stolen credentials and phishing for initial access. Once access was gained to networks, the group used tools such as TrickBot malware, along with post-exploitation frameworks such as Cobalt Strike and PowerShell Empire to move laterally and remain inside networks undetected. In some cases, the dwell time was several months before ransomware was deployed to encrypt files. Members of the group had different responsibilities, with some tasked with gaining access to networks while others were responsible for negotiating with victims and laundering the proceeds of the attacks.
A joint investigation was launched in September 2019 by the French authorities that involved law enforcement agencies in Norway, the United Kingdom, and Ukraine, with financial support provided by Eurojust and assistance provided by Europol. Parallel investigations were also conducted by law enforcement agencies in the Netherlands, Germany, Switzerland, and the United States which helped uncover the true magnitude and complexity of the operation. Europol established a virtual command center in the Netherlands which received data seized in the raids.
On November 21, 2023, coordinated raids were conducted at 30 locations in Kyiv, Cherkasy, Rivne, and Vinnytsia in Ukraine. More than 20 investigators took part in the operation and assisted the Ukrainian National Police. The Ukrainian National Police seized computer equipment, electronic media, and other evidence of illegal activities, along with cars, bank and SIM cards, and almost 4 million hryvnias ($110,050) in cash and cryptocurrency assets. The 32-year-old mastermind of the operation was arrested along with four of his most active accomplices.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The latest arrests follow a first round of arrests in 2021 using the same investigation framework. 12 individuals were arrested in the raids on October 26, 2021, in Ukraine and Switzerland, all of whom had been involved in multiple ransomware attacks. In addition to the arrests, $52,000 in cash was seized along with 5 luxury vehicles and many electronic devices. The analysis of the electronic devices and other evidence collected in the first round of raids led to the identification of the suspects that were targeted in the latest phase of the operation.
