Cybercops bust ransomware gang that made "hundreds of millions"

International operation nabs gang of corporate ransomware hackers, but only one arrest is made

A network of criminal hackers that extorted hundreds of millions of Euros out of about 1800 companies has been nabbed in Ukraine after a four-year international investigation.

Police arrested the ringleader and detained four suspected accomplices after raiding 30 hacker hideouts from where the crooks had hit corporations - mostly large - in 71 countries. Police bagged more than a hundred digital tools. It is not known if and how many of the criminals evaded arrest.

Agents from Norway, France and US, who have been operating in Kyiv since an earlier round of related ransomware busts two years ago, helped Ukrainian police bag the crooks, said Eurojust the EU criminal prosecution agency, yesterday.

They had been working on the case since 2019, when the UK helped set it up. Dutch, German and Swiss agents mucked in as well, when they found they had all been investigating the same criminal network. Europol helped them with expertise in digital forensics, cryptocurrency and malware.

The hackers worked in teams, each with a different specialism. Some of them specialised in infiltrating corporate computer networks using brute force attacks, SQL injections, stolen passwords, and phishing emails with malicious attachments.

Once the attack hackers broke in, others widened their access to their prey's computer systems, using malware such as Trickbot, and post-exploitation frameworks such as Cobalt Strike and PowerShell .

And there they would lurk, sometimes for months at-a-time, waiting for their moment, before striking with ransomware such as LockerGoga, MegaCortex, HIVE and Dharma.

The ransomware encrypted the victim's computers and demanded payment in bitcoin in return for decryption keys.

Kimberly Goody, Mandiant Head of Cybercrime Analysis, Google Cloud said in a written statement:

"Arrests of individuals associated with high profile ransomware incidents send a clear message that there will be consequences for these attacks. The individuals under investigation appear to have served as affiliates of multiple ransomware services over time and/or in supporting functions to enable multiple groups.

"Threat actors commonly partner with different actors over time to perform certain aspects of a compromise, such as initial access or money laundering, which is likely the case of at least some of these suspects. Breaking one link in their organizational cycle can cause significant - albeit temporary - disruptions to these groups, as identifying, vetting and trusting new partners can be challenging in the criminal world."

The statement continues:

"LockerGoga and Megacortex were notably some of the earlier ransomware variants in use when the cyber criminal community began shifting away from mass distributed ransomware and point-of-sale operations to post-compromise ransomware deployment targeting corporations. The ransomware variants allegedly associated with these actors have hit organizations in healthcare and other critical industries.

"Some of the TTPs described in the press release align with activity we have historically attributed to a FIN6-affiliated actor including the use of Trickbot and Lockergoga, however, given the complexities and interdependence of the cyber crime ecosystem we cannot confirm at this time whether this law enforcement action is associated with this threat actor."