Europol and its international law enforcement partners have arrested five individuals accused by authorities of being involved in a string of ransomware attacks that affected more than 1,800 victims across the world.
Those arrested, who included the leader of the criminal gang, 32, and four of his “most active” associates, were arrested after a series of raids on 30 properties across Ukraine last week, Europol said in a statement on Tuesday. The suspects have not been named.
More than 20 investigators from Norway, France, Germany, and the United States assisted the Ukrainian National Police in the investigation in Kyiv, while Europol also established a virtual command center in the Netherlands to process data seized during the searches. .
According to a separate announcement from the Cyber Police of Ukrainelaw enforcement officials seized computer equipment, vehicles, bank and telephone SIM cards, and many electronic media items.
Police also seized cryptocurrency assets, including nearly four million hryvnias (about $110,000), and other alleged evidence of illegal activities.
The arrests are the latest in a year-long investigation that in 2021 saw 12 individuals arrested in raids in Ukraine and Switzerland. Europol said in its announcement on Tuesday that its initial actions “facilitate the identification of the suspects targeted in last week’s action in Kyiv.”
The five people arrested last week are accused of encrypting more than 250 servers belonging to large corporations, and successfully extorting “several hundred million euros” from its victims.
The perpetrators are believed to have played different roles in the criminal network: some used brute-force attacks and stolen credentials to break into a victim’s network; others use malware, such as Trickbot, to stay undetected and gain more access; and others are suspected of managing the laundering of cryptocurrency payments made by victims to regain access to their stolen files.
Europol accused the hackers of “causing damage” to the targeted organisations. One of the ransomware variants used by the group is LockerGoga, the same type of malware used in the cyberattack against the Norwegian aluminum processor Norsk Hydro in March 2019. The attackers also sent MegaCortex, Hive, and Dharma ransomware, according to the announcement of Europol.
Europol’s investigation into this criminal organization also allowed the Swiss authorities, in collaboration with Bitdefender and the No More Ransom project of the European Union, to create decryption tools for LockerGoga and MegaCortex variants. ransomware. These tools allow victims to recover their stolen files without having to pay a ransom.