A coordinated law enforcement action has led to the arrest of two “prolific ransomware operators” in Ukraine, Europol has revealed.
The strike was undertaken between the French National Gendarmerie, the Ukrainian National Police and the United States Federal Bureau of Investigation (FBI) in conjunction with Europol and INTERPOL on September 28. While neither the individuals nor the gang they allegedly belong to were named, Europol said they were “known for their extortionate ransom demands (between €5m and €70m).”
The group is believed to have targeted numerous “very large industrial groups in Europe and North America” since April 2020. They are also renowned for their ‘double extortion’ tactics, deploying malware and stealing sensitive data from their victims in addition to encrypting their files. They would then demand a large ransom payment under threat of leaking the stolen data on the dark web.
The Ukrainian authorities stated that the suspects were responsible for attacks against over 100 worldwide organizations, causing more than $150 million in damages.
As well as the two arrests, the joint law enforcement action resulted in seven property searches, seizure of $375,000 in cash, seizure of two luxury vehicles worth €217,000 and asset freezing of $1.3m in cryptocurrencies.
Europol helped bring together law enforcement agencies to establish a joint strategy, including creating a virtual command post. The operation involved six investigators from French Gendarmerie, four from the US FBI, a prosecutor from the French Prosecution Office of Paris, two specialists from Europol’s European Cybercrime Centre (EC3) and one INTERPOL officer to work alongside the Ukrainian National Police.
Providing further insights into the tactics used by the ransomware operators, Stefano De Blasi, threat researcher at Digital Shadows, said: “The suspects reportedly compromised their victims via spear-phishing campaigns and by targeting remote working tools such as remote desktop protocol (RDP) and virtual private networks (VPN). This observation highlights how social engineering remains a vital access vector for threat actors, as human curiosity is often exploited to bypass technological defences. Additionally, the use of RDP and VPN to compromise organizations suggests that the suspects have likely gained access to victims by purchasing initial access broker (IAB) listings on cyber-criminal forums and marketplaces.”
He added: “Europol also stated that the operation resulted $1.3m being frozen within the group’s seized crypto wallets. Ukrainian police stated that the suspects had an accomplice who helped the group launder money gained from illicit means. The use of individuals skilled in laundering money has been a significant factor in the development of ransomware groups into an effective criminal business model. Although law enforcement agencies have not named the ransomware gang behind this operation, it is unclear what extent the operation will have on the group in question, or on the wider ransomware ecosystem.
“While solitary operations will not provide a remediation to the ransomware threat overnight, law enforcement operations can have a significant impact to targeted ransomware groups, often resulting in a suspension or disruption of their activity. These raids can achieve their greatest potential when paired with diplomatic efforts, innovative policies and effective public-private partnerships.”