Cybercrime , Fraud Management & Cybercrime , Ransomware

Police Bust Suspected Ransomware Group Ringleader in Ukraine

5 Suspects Arrested; Group Tied to Ransomware Attacks Against 1,800 Victims
Police Bust Suspected Ransomware Group Ringleader in Ukraine
Police raided a property last week in Ukraine as part of their investigation into an alleged ransomware-wielding crime group. (Image: Ukrainian Cyber Police)

Police have arrested a group of criminals in Ukraine who they suspect launched ransomware attacks against large organizations based in more than 70 different countries.

See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk

Since 2018, the group has been tied to attacks that "affected over 1,800 victims in 71 countries," and has demanded ransom payoffs that collectively totaled at least several hundreds of millions of dollars, Eurojust, the EU agency for criminal justice cooperation that helped coordinate the ongoing operation, said in a statement.

Ukrainian police accused the ransomware-wielding group of attacking some of world's biggest companies, including Norwegian aluminum giant Norsk Hydro in 2019. In another attack the same year, they said the group used ransomware to shake down the Dutch arm of a U.S.-based chemical company for a ransom payment of 450 bitcoins, then worth $1.3 million.

"As a result of many months of painstaking work, Ukrainian law enforcement officers - with the assistance of colleagues from the U.S., Norway, the Netherlands, Germany and France - identified the 32-year-old leader of the hacker group and his four most active accomplices," Yuriy Vykhodets, who heads Ukraine's Cyber Police Department, said in a statement, according to a machine translation.

Ukrainian police arrested all five suspects on Nov. 21, backed by 20 investigators from international law enforcement agency partners who deployed to Ukraine for the raids. Police also searched 30 properties in the regions of Kyiv, Cherkasy, Rivne and Vinnytsia, seized more than 100 digital devices, $110,000 in cash and an unspecified amount of cryptocurrency. Police didn't name the suspects.

The EU's law enforcement agency, Europol, which helped coordinate the investigation, said in a Tuesday statement that the suspects have been accused of using such strains of crypto-locking malware as Dharma, Hive, LockerGoga and MegaCortex, among others, to attack victims.

Europol said the group has often targeted large companies, seeking bigger ransom payoffs - known as big game hunting - and operated from the Ukrainian capital of Kyiv both before and after Russia launched its all-out war of conquest in February 2022.

As of September 2022, authorities reported that the group appeared to be defunct.

The suspects' arrests come as part of an ongoing operation launched by France in 2019, working with Norway, France, the U.K. and Ukraine. Their probe has run in parallel with Dutch, German, Swiss and U.S. authorities - including the FBI and U.S. Secret Service - each running their own, independent investigations into the group.

Europol said the latest searches and arrests built in part on digital forensic evidence gathered after a first round of arrests in the ongoing operation in October 2021, when police detained 12 "high-value targets" in both Ukraine and Switzerland.

Authorities believe different members of the group played different roles. Some appeared to specialize in penetrating victims' networks while others handled money laundering for cryptocurrency ransoms victims paid in exchange for the promise of a decryptor.

The group used a variety of tactics to penetrate victims' networks, including SQL injection attacks, brute-force password cracking and phishing campaigns designed to steal valid usernames and passwords, police said.

"Once inside the networks, the attackers remained undetected and gained additional access using tools including TrickBot malware, Cobalt Strike and PowerShell Empire, in order to compromise as many systems as possible before triggering ransomware attacks," Europol said (see: Block This Now: Cobalt Strike and Other Red-Team Tools).

Swiss authorities, working with Romanian cybersecurity firm Bitdefender, last year shared free decryptors to the public/private No More Ransom portal, built using digital forensic evidence gathered during the operation. Police said the decryptors can decrypt variants of the LockerGoga and MegaCortex ransomware used by the Ukrainian group to encrypt some victims' systems (see: LockerGoga Victims Get Free Decryptor; Police Recovered Keys).


About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.