International collaboration leads to dismantlement of ransomware group in Ukraine amidst ongoing war

 

In an unprecedented effort, law enforcement and judicial authorities from seven countries have joined forces with Europol and Eurojust to dismantle and apprehend in Ukraine key figures behind significant ransomware operations wreaking havoc across the world. The operation comes at a critical time, as the country grapples with the challenges of Russia’s military aggression against its territory. 

On 21 November, 30 properties were searched in the regions of Kyiv, Cherkasy, Rivne and Vinnytsia, resulting in the arrest of the 32-year-old ringleader. Four of the ringleader's most active accomplices were also detained.

More than 20 investigators from Norway, France, Germany and the United States were deployed to Kyiv to assist the Ukrainian National Police with their investigative measures. This set-up was mirrored from Europol’s headquarters in the Netherlands where a virtual command post was activated to immediately analyse the data seized during the house searches in Ukraine.

This latest action follows a first round of arrests in 2021 in the framework of the same investigation. Since then, a number of operational sprints have been organised at Europol and in Norway with the aim of forensically analysing the devices seized in Ukraine in 2021. This forensic follow-up work facilitated the identification of the suspects targeted during the action last week in Kyiv. 

Dangerous, undetected and versatile

The individuals under investigation are believed to be part of a network responsible for a series of high-profile ransomware attacks against organisations in 71 countries. 

These cyber actors are known for specifically targeting large corporations, effectively bringing their businesses to a standstill. They deployed LockerGoga, MegaCortex, HIVE and Dharma ransomware, among others, to carry out their attacks.

The suspects had different roles in this criminal organisation. Some of the them are thought to be involved in compromising the IT networks of their targets, while others are suspected of being in charge of laundering cryptocurrency payments made by victims to decrypt their files.

Those responsible for breaking into networks did so through techniques including brute force attacks, SQL injections and sending phishing emails with malicious attachments in order to steal usernames and passwords.

Once inside the networks, the attackers remained undetected and gained additional access using tools including TrickBot malware, Cobalt Strike and PowerShell Empire, in order to compromise as many systems as possible before triggering ransomware attacks.

The investigation determined that the perpetrators encrypted over 250 servers belonging to large corporations, resulting in losses exceeding several hundreds of millions of euros.

International cooperation

Initiated by the French authorities, a joint investigation team (JIT) was set up in September 2019 between Norway, France, the United Kingdom and Ukraine, with financial support from Eurojust and assistance from both Agencies. The partners in the JIT have since been working closely together, in parallel with the independent investigations of the Dutch, German, Swiss and U.S. authorities, to locate the threat actors in Ukraine and bring them to justice.

This international cooperation has remained steadfast and uninterrupted, persisting even amid the challenges posed by the ongoing war in Ukraine.

A Ukrainian cyber police officer was initially seconded to Europol for two months to prepare for the first phase of the action, before being deployed to Europol permanently to facilitate law enforcement cooperation in this field.

From the onset of the investigation, Europol’s European Cybercrime Centre (EC3) hosted operational meetings, providing digital forensic, cryptocurrency and malware support, and facilitating the information exchange in the framework of the Joint Cybercrime Action Taskforce (J-CAT) hosted at Europol’s headquarters.

Eurojust hosted twelve coordination meetings to facilitate the communication and judicial cooperation between the authorities involved.

The forensic analysis carried out in the framework of this investigation also allowed the Swiss authorities to develop, together with the No More Ransom partners and Bitdefender, decryption tools for the LockerGoga and MegaCortex ransomware variants. These decryptions tools have been made available for free on: www.nomoreransom.org.

Participating authorities:

Norway: National Criminal Investigation Service (Kripos)

France: Public Prosecutor’s Office of Paris, National Police (Police Nationale - OCLCTIC)

Netherlands: National Police (Politie), National Public Prosecution Service (Landelijk Parket, Openbaar Ministerie)

Ukraine: Prosecutor General’s Office (Офіс Генерального прокурора), National Police of Ukraine (Національна поліція України)

Germany: Public Prosecutor’s Office of Stuttgart, Police Headquarters Reutlingen (Polizeipräsidium Reutlingen) CID Esslingen

Switzerland: Swiss Federal Office of Police (fedpol), Polizei Basel-Landschaft, Public Prosecutor's Office of the canton of Zurich, Zurich Cantonal Police

United States: United States Secret Service (USSS), Federal Bureau of Investigation (FBI) 

Europol: European Cybercrime Centre (EC3)

Eurojust

The investigation benefited from funding from the European Multidisciplinary Platform Against Criminal Threats (EMPACT).