Multinational Police Force Arrests 12 Suspected HackersThreat Actors Believed to Be Responsible for More Than 1,800 Ransomware Attacks
Europol on Friday announced the arrest of 12 individuals for their suspected roles in ransomware attacks against critical infrastructure across the world.
These actors are believed to have affected more than 1,800 victims in 71 countries and are known to have targeted large corporations causing business disruption.
They are accused of being behind the deployment of ransomware strains such as LockerGoga, MegaCortex and Dharma, among others, and are under arrest after a joint operation involving law enforcement and judiciary agencies from eight countries.
"The actions took place in the early hours of 26 October in Ukraine and Switzerland. Most of these suspects are considered high-value targets because they are being investigated in multiple high-profile cases in different jurisdictions," Europol notes.
Europol says it has seized more than $52,000 in cash, plus five luxury vehicles. In addition, the various authorities are currently forensically examining several electronic devices to secure evidence and identify new investigative leads.
The arrests were coordinated by Europol's European Cybercrime Center with assistance from Eurojust, an EU law enforcement agency. They were conducted with help from authorities in Norway, France, the Netherlands, Ukraine, the United Kingdom, Germany, Switzerland and the United States.
The suspected hackers are alleged to have had various roles in organized criminal gangs. They are believed to be responsible for dealing with initial access to networks, using multiple mechanisms to compromise IT networks, including brute-force attacks, SQL injections, stolen credentials and phishing emails with malicious attachments.
"Once on the network, some of these cyber actors would focus on moving laterally, deploying malware such as Trickbot, or post-exploitation frameworks such as Cobalt Strike or PowerShell Empire, to stay undetected and gain further access," Europol states.
In addition, Europol claims that the criminals would stay undetected in the compromised system for months, looking for further weaknesses in the network before monetizing the infection by deploying a ransomware, such as LockerGoga, MegaCortex and Dharma, among others.
"The effects of the ransomware attacks were devastating as the criminals had had the time to explore the IT networks undetected. A ransom note was then presented to the victim, which demanded the victim pay the attackers in Bitcoin in exchange for decryption keys," Europol notes. "A number of the individuals interrogated are suspected of being in charge of laundering the ransom payments: they would funnel the Bitcoin ransom payments through mixing services, before cashing out the ill-gotten gains."
The joint operation was coordinated by Europol. The agency says that Eurojust played an important role in identifying the arrested threat actors as the victims were located in different geographical locations around the world.
The joint investigation team - or JIT - was initiated by the French authorities and set up in September 2019 between Norway, France the United Kingdom and Ukraine with financial support from Eurojust and the assistance of both Eurojust and Europol.
"The partners in the JIT have since been working closely together, in parallel with the independent investigations of the Dutch and U.S. authorities, to uncover the actual magnitude and complexity of the criminal activities of these cyber actors to establish a joint strategy," Europol notes.
In addition, Eurojust - which had established a coordination center to facilitate cross-border judicial cooperation during the action day - held seven coordination meetings.
Europol notes that this operation was carried out within the framework of the European Multidisciplinary Platform Against Criminal Threats - or EMPACT.
Extortion Remains at All-Time High
Despite the U.S. White House declaring war on ransomware - including initiatives to improve the cyber resiliency of U.S. businesses - at least so far, the number of victims being listed on data leak sites hasn't been declining, according to Allan Liska, an intelligence analyst at threat intelligence firm Recorded Future (see: Ransomware: No Decline in Victims Posted to Data Leak Sites)
Security firms Kaspersky and Emsisoft estimated that there were about 65,000 successful ransomware attacks in 2020.