Ransomware Ring Detained after Attacking 71 Countries

This post is also available in: עברית (Hebrew)

Law enforcement agencies from seven countries have recently busted “key figures” behind an international ransomware operation that was operating from several locations inside Ukraine.

Over 30 properties in Ukraine’s territory were searched the previous week, which resulted in the arrest of the 32-year-old ringleader of the ransomware operation, as well as four accomplices. Two dozen investigators from Norway, France, Germany, and the United States were deployed alongside Ukrainian colleagues in Kyiv during the war between Russia and Ukraine.

According to Cybernews, international involvement in the anti-ransomware operation was necessary because of the suspects’ activities, which according to Europol include being “responsible for a series of high-profile ransomware attacks against organizations in 71 countries.” Europol further stated that the cyber actors are known for specifically targeting large corporations, effectively bringing their businesses to a standstill. They deployed LockerGoga, MegaCortex, HIVE, and Dharma ransomware, among others, to carry out their attacks.

The recent announcements revealed that there were many authorities from many countries involved in the arrests, including Norway’s National Criminal Investigation Service, the Public Prosecutor’s Office of Paris, the National France Police, the National Netherlands Police, the National Police of Ukraine, the Public Prosecutor’s Office of Stuttgart, Swiss Federal Office of Police, United States Secret Service, FBI, Europol and Eurojust.

According to law enforcement reports, the recent arrests are a continuation of an investigation that resulted in several arrests that were made in 2021 (when a dozen individuals targeting critical infrastructure were detained).

The actions performed by the suspects within the ransomware ring include compromising target IT networks or laundering ransom money received from victims. The investigation determined that the offenders encrypted over 250 servers belonging to large corporations, resulting in losses exceeding several hundreds of millions of euros.