Global blow to cybercrime: a major ransomware network has fallen

In a notable joint operation involving Europol and Eurojust, law enforcement agencies from seven nations conducted arrests in Ukraine, targeting key members of an organization responsible for ransomware attacks in 71 countries. Cybercriminals had launched attacks on notable international companies, using ransomware such as LockerGoga, MegaCortex and HIVE, blocking operations and demanding cryptocurrency payments to decrypt the seized data.

Attack methodologies and tools

The roles within this criminal network were diverse, with some members infiltrating corporate networks via brute force attacks, SQL injection and phishing, while others handled the money laundering of the collected cryptocurrencies. After access, they used advanced malware such as TrickBot and post-exploitation tools such as Cobalt Strike and PowerShell Empire to extend their presence within network infrastructures and activate previously implanted ransomware.

Joint operation leads to seizures and arrests

Joint efforts of international agencies led to the execution of synchronized raids in 30 locations in Kyiv and neighboring regions, culminating in the arrest of a 32-year-old man believed to be the leader of the gang and four of his accomplices. These efforts are part of a campaign of enforcement actions begun in 2019 by the French authorities and continue to bear fruit thanks to international collaboration.

Teams and entities in action against cybercrime

Various authorities were involved, such as the National Criminal Investigation Service (Kripos) of Norway, the French OCLCTIC under the aegis of the National Police and police and investigation bodies from the Netherlands, Germany, Switzerland, the United States, as well as of Europol (EC3) and Eurojust. These bodies have formed a joint investigation team (JIT) which aims to flatten the cybercriminal threat and guarantee international digital security.