Law enforcement agencies from seven countries, working with Europol and Eurojust, have arrested key members of a ransomware group in Ukraine linked to attacks against organizations in 71 countries. Cybercriminals are using ransomware such as LockerGoga, MegaCortex, HIVE and Dharma to carry out attacks, paralyzing the operations of major companies.

The roles within this criminal network vary widely: some members breach IT networks, while others reportedly help victims pay cryptocurrency to decrypt their files.

Attackers gain access to target networks through brute force and SQL injection attacks to steal user credentials and use phishing emails with malicious attachments.

Once inside, they use tools such as TrickBot malware, CobaltStrike and PowerShellEmpire to move laterally and compromise other systems before triggering previously deployed ransomware payloads.

Investigations revealed that this organized ransomware-affiliated group encrypted more than 250 servers of large companies, resulting in losses exceeding hundreds of millions of euros.

On November 21, coordinated raids in 30 locations in Kiev, Cherkasy, Rivne and Vinnitsa led to the arrest of the group's 32-year-old mastermind and the capture of four accomplices.

More than 20 investigators from Norway, France, Germany and the United States are assisting the Ukrainian National Police in the investigation in Kiev. Europol has also set up a virtual command center in the Netherlands to process data captured during house searches.

This action follows the arrest of 12 individuals in 2021 in connection with ransomware attacks targeting 1,800 victims in 71 countries as part of the same law enforcement operation.

As investigations from two years ago revealed, attackers deployed LockerGoga, MegaCortex and Dharma ransomware. They also used malware such as Trickbot and post-exploitation tools such as CobaltStrike in their attacks.

Europol and Norway's subsequent efforts will focus on analyzing data from devices seized in Ukraine in 2021 and helping to identify other suspects arrested in Kiev a week ago.

This international police operation was launched by French authorities in September 2019 and focuses on finding threat actors in Ukraine and bringing them to justice with the help of the Joint Investigation Team (JIT) composed of Norway, France, the United Kingdom and Ukraine. Support from Eurojust and cooperation with authorities in the Netherlands, Germany, Switzerland and the United States.

The list of participating law enforcement agencies includes:

Norway: National Criminal Investigation Service (Kripos)

France: Paris Prosecutor’s Office, National Police (PoliceNationale-OCLCTIC)

Netherlands: National Police (Politie), National Prosecution Service (Landelijk Parket, OpenbaarMinistryie)

Ukraine: Prosecutor General’s Office (ОфісГенеральногопрокурора), Ukrainian National Police (НаціональнаполіціяУкраїни)

Germany: Stuttgart Prosecutor's Office, Reutlingen Police Headquarters (Polizeipräsidium Reutlingen) CIDEsslingen

Switzerland: Swiss Federal Police (fedpol), Basel Cantonal Police, Zurich Cantonal Prosecutor’s Office, Zurich Cantonal Police

United States: United States Secret Service (USSS), Federal Bureau of Investigation (FBI)

Europol: European Cybercrime Center (EC3)

european justice