Global law enforcement collaboration strikes against ransomware networks targeting large corporations

Law enforcement and judicial authorities from seven countries, in collaboration with Europol and Eurojust, have united to dismantle and apprehend key figures responsible for major ransomware operations that have caused widespread chaos worldwide. This operation is particularly crucial as Ukraine faces the challenges posed by Russia’s military aggression on its territory. The hackers have gained notoriety for their deliberate targeting of large corporations, effectively paralyzing their operations. They have employed various ransomware strains, including LockerGoga, MegaCortex, HIVE, and Dharma, to execute their disruptive attacks.

“On 21 November, 30 properties were searched in the regions of Kyiv, Cherkasy, Rivne, and Vinnytsia, resulting in the arrest of the 32-year-old ringleader. Four of the ringleader’s most active accomplices were also detained,” Europol identified in a Tuesday media statement. “More than 20 investigators from Norway, France, Germany, and the United States were deployed to Kyiv to assist the Ukrainian National Police with their investigative measures. This set-up was mirrored from Europol’s headquarters in the Netherlands where a virtual command post was activated to immediately analyze the data seized during the house searches in Ukraine.”

The agency also added that the latest action follows a first round of arrests in 2021 in the framework of the same investigation. Since then, a number of operational sprints have been organized at Europol and in Norway with the aim of forensically analyzing the devices seized in Ukraine in 2021. This forensic follow-up work facilitated the identification of the suspects targeted during the action last week in Kyiv.

The participating authorities in the operation were Norway’s National Criminal Investigation Service (Kripos); France’s Public Prosecutor’s Office of Paris, National Police (Police Nationale – OCLCTIC); Netherlands’ National Police (Politie), National Public Prosecution Service (Landelijk Parket, Openbaar Ministerie); Ukraine Prosecutor General’s Office (Офіс Генерального прокурора), National Police of Ukraine (Національна поліція України); Germany Public Prosecutor’s Office of Stuttgart, Police Headquarters Reutlingen (Polizeipräsidium Reutlingen) CID Esslingen; and Switzerland’s Swiss Federal Office of Police (fedpol), Polizei Basel-Landschaft, Public Prosecutor’s Office of the canton of Zurich, Zurich Cantonal Police. 

Additionally, the U.S Secret Service (USSS) and Federal Bureau of Investigation (FBI); Europol’s European Cybercrime Centre (EC3), and Eurojust also took part in the operations. The investigation benefited from funding from the European Multidisciplinary Platform Against Criminal Threats (EMPACT). 

Europol disclosed that the individuals under investigation are believed to be part of a network responsible for a series of high-profile ransomware attacks against organizations in 71 countries. “The suspects had different roles in this criminal organization. Some of them are thought to be involved in compromising the IT networks of their targets, while others are suspected of being in charge of laundering cryptocurrency payments made by victims to decrypt their files.”

Additionally, those responsible for breaking into networks did so through techniques including brute force attacks, SQL injections, and sending phishing emails with malicious attachments in order to steal usernames and passwords.

“Once inside the networks, the attackers remained undetected and gained additional access using tools including TrickBot malware, Cobalt Strike, and PowerShell Empire, in order to compromise as many systems as possible before triggering ransomware attacks,” the agency revealed. “The investigation determined that the perpetrators encrypted over 250 servers belonging to large corporations, resulting in losses exceeding several hundreds of millions of euros.”

Initiated by the French authorities, a joint investigation team (JIT) was set up in September 2019 between Norway, France, the U.K., and Ukraine, with financial support from Eurojust and assistance from both agencies. The partners in the JIT have since been working closely together, in parallel with the independent investigations of the Dutch, German, Swiss, and U.S. authorities, to locate the threat actors in Ukraine and bring them to justice.

The international cooperation has remained steadfast and uninterrupted, persisting even amid the challenges posed by the ongoing war in Ukraine. Furthermore, a Ukrainian cyber police officer was initially seconded to Europol for two months to prepare for the first phase of the action, before being deployed to Europol permanently to facilitate law enforcement cooperation in this field.

From the onset of the investigation, Europol’s EC3 hosted operational meetings, providing digital forensic, cryptocurrency, and malware support, and facilitating the information exchange in the framework of the Joint Cybercrime Action Taskforce (J-CAT) hosted at Europol’s headquarters. Eurojust hosted twelve coordination meetings to facilitate communication and judicial cooperation between the authorities involved.

The forensic analysis carried out in the framework of this investigation also allowed the Swiss authorities to develop, together with the No More Ransom partners and Bitdefender, decryption tools for the LockerGoga and MegaCortex ransomware variants.

In October, Europol, alongside multiple international law enforcement agencies, coordinated a significant operation against the Ragnar Locker ransomware group, leading to the arrest of its main developer in Paris and actions in countries like Czechia, Spain, and Latvia. Additionally, the group’s infrastructure across the Netherlands, Germany, and Sweden was dismantled, with their Tor data leak site being shut down after an extensive multi-country investigation.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.