International collaboration leads to dismantling of ransomware group in Ukraine amidst ongoing war

In an unprecedented effort, law enforcement and judicial authorities from seven countries have joined forces with Europol and Eurojust to dismantle and apprehend in Ukraine key figures behind significant ransomware operations wreaking havoc across the world. The operation comes at a critical time, as the country grapples with the challenges of Russia’s military aggression against its territory. 

According to a Europol press release, 30 properties were searched in the regions of Kyiv, Cherkasy, Rivne and Vinnytsia on 21 November, resulting in the arrest of the 32-year-old ringleader. Four of the ringleader’s most active accomplices were also detained.

More than 20 investigators from Norway, France, Germany and the United States were deployed to Kyiv to assist the Ukrainian National Police with their investigative measures. This set-up was mirrored from Europol’s headquarters in the Netherlands where a virtual command post was activated to immediately analyse the data seized during the house searches in Ukraine.

This latest action follows a first round of arrests in 2021 in the framework of the same investigation. Since then, a number of operational sprints have been organised at Europol and in Norway with the aim of forensically analysing the devices seized in Ukraine in 2021. This forensic follow-up work facilitated the identification of the suspects targeted during the action last week in Kyiv. 

The individuals under investigation are believed to be part of a network responsible for a series of high-profile ransomware attacks against organisations in 71 countries. 

These cyber actors are known for specifically targeting large corporations, effectively bringing their businesses to a standstill. They deployed LockerGoga, MegaCortex, HIVE and Dharma ransomware, among others, to carry out their attacks.

The suspects had different roles in this criminal organisation. Some of them are thought to be involved in compromising the IT networks of their targets, while others are suspected of being in charge of laundering cryptocurrency payments made by victims to decrypt their files.

Those responsible for breaking into networks did so through techniques including brute force attacks, SQL injections and sending phishing emails with malicious attachments in order to steal usernames and passwords.

Once inside the networks, the attackers remained undetected and gained additional access using tools including TrickBot malware, Cobalt Strike and PowerShell Empire, in order to compromise as many systems as possible before triggering ransomware attacks.

The investigation determined that the perpetrators encrypted over 250 servers belonging to large corporations, resulting in losses exceeding several hundreds of millions of euros.

Initiated by the French authorities, a joint investigation team (JIT) was set up in September 2019 between Norway, France, the United Kingdom and Ukraine, with financial support from Eurojust and assistance from both Agencies. The partners in the JIT have since been working closely together, in parallel with the independent investigations of the Dutch, German, Swiss and U.S. authorities, to locate the threat actors in Ukraine and bring them to justice.

This international cooperation has remained steadfast and uninterrupted, persisting even amid the challenges posed by the ongoing war in Ukraine.

A Ukrainian cyber police officer was initially seconded to Europol for two months to prepare for the first phase of the action, before being deployed to Europol permanently to facilitate law enforcement cooperation in this field.

The forensic analysis carried out in the framework of this investigation also allowed the Swiss authorities to develop, together with the No More Ransom partners and Bitdefender, decryption tools for the LockerGoga and MegaCortex ransomware variants. These decryption tools have been made available for free on: www.nomoreransom.org.

Find out more

Press release