European police say they’ve dismantled a ransomware group in Ukraine that was behind a series of high-profile attacks on corporations across the globe.
Law enforcement arrested the suspected 32-year-old ringleader to the group, along with four of his most active accomplices, Europol said on Tuesday. Law enforcement agencies including officials from the US, also helped investigate 30 properties across Ukraine, including in the capital of Kyiv, tied to the gang.
Europol didn’t say whether the gang developed the ransomware code. But the group used several ransomware strains, including “LockerGoga, MegaCortex, HIVE and Dharma” to attack companies. This suggests they operated as an “affiliate,” buying access to the attacks from ransomware code developers.
(Credit: Cyber Police of Ukraine)Europol adds: “The suspects had different roles in this criminal organization. Some of them are thought to be involved in compromising the IT networks of their targets, while others are suspected of being in charge of laundering cryptocurrency payments made by victims to decrypt their files.”
To spread ransomware to the corporations, the group resorted to sending phishing emails to employees or guessing their login passwords. Once inside a company network, the gang would use other tools, including the Trickbot malware, to gain wider access. The ensuing ransomware attack would then encrypt servers across the network, forcing the victim companies to pay up in cryptocurrency or risk losing their data forever.
“These attacks are believed to have affected over 1,800 victims in 71 countries,” added the European Union Agency for Criminal Justice Cooperation. “The perpetrators targeted large corporations, effectively bringing their business to a standstill and causing losses of at least several hundred millions of euros.”
The Cyber Police of Ukraine also assisted in taking down the gang, which allegedly began targeting companies starting in 2018. In one example, the group demanded a company in the Netherlands pay 450 Bitcoin ($16.8 million in today’s value) to restore their servers.
“It has been established that over several years of criminal activity, the criminals encrypted over 1,000 servers of global enterprises and caused damages amounting to more than 3 billion hryvnias (US$82 million) in the national currency,” the Cyber Police of Ukraine added.
The takedown occurs as ransomware attacks may be on the rise again. September saw a record number of attacks at 514 victims, according to cybersecurity firm NCCGroup.