Ukraine Police Dismantle Major Ransomware Group

Police in Ukraine have arrested five individuals including the suspected ringleader of a prolific ransomware affiliate believed to have made hundreds of millions of dollars from cyber-attacks.

Law enforcers and judicial authorities from seven countries joined forces with Europol to dismantle the group, searching 30 properties in Kyiv, Cherkasy, Rivne and Vinnytsia on November 21.

The five suspects are believed to be part of an organized cybercrime network responsible for attacks that encrypted 250 servers belonging to large organizations in 71 countries. They deployed the LockerGoga, MegaCortex, Hive and Dharma variants, according to Europol.

Initial access was achieved through brute force attacks, SQL injections and phishing emails with malicious attachments, while post-exploitation activity included use of TrickBot malware, Cobalt Strike and PowerShell Empire.

Read more on ransomware: Norsk Hydro Admits Ransomware Costs May Have Hit $41m

Twenty investigators from Norway, France, Germany and the US were sent to Kyiv to assist local police in making the arrests. They come after a similar raid in 2021, which resulted in the arrest of a further 12 suspects thought to be involved in the gang.

Those arrested last week, including the suspected 32-year-old ringleader, had different roles in the group – with some involved in compromising victims’ IT networks and others tasked with laundering cryptocurrency payments, Europol claimed.

The latest arrests are the culmination of a four-year operation which began when the French authorities set up a joint investigation team (JIT) with Norway the UK and Ukraine, later to be joined by officers from the Netherlands, Germany, Switzerland and the US.

Thanks to their work, the Swiss authorities – alongside No More Ransom and Bitdefender – were able to create decryptors for LockerGoga and MegaCortex.