Europol announced a successful joint law enforcement operation that led to the arrest of two prolific ransomware operators. The group was responsible for hundreds of attacks, often demanding exorbitant ransom demands that ranged from $6 and $81 million, causing more than $150 million in damages.

Overall, the joint operation led to:

  • Two arrests and seven property searches
  • Seizure of $375,000 in cash
  • Seizure of two luxury vehicles worth $251,896.96
  • Asset freezing of $1.3 million in cryptocurrencies

The organized crime group is suspected of having committed a string of targeted attacks against very large industrial groups in Europe and North America from April 2020 onwards. The criminals would deploy malware and steal sensitive data from these companies before encrypting their files.

They would then offer a decryption key in return for a ransom payment of several million euros, threatening to leak the stolen data on the dark web should their demands not be met.

The suspects reportedly compromised their victims via spear-phishing campaigns and by targeting remote working tools such as Remote Desktop Protocol (RDP) and Virtual Private Networks (VPN), says Stefano De Blasi, Cyber Threat Intelligence Analyst at Digital Shadows, a San Francisco-based provider of digital risk protection solutions. “This observation highlights how social engineering remains a vital access vector for threat actors, as human curiosity is often exploited to bypass technological defenses. Additionally, the use of RDP and VPN to compromise organizations suggests that the suspects have likely gained access to victims by purchasing Initial Access Broker (IAB) listings on cybercriminal forums and marketplaces.”

Ukrainian police stated that the suspects had an accomplice who helped the group launder money gained from illicit means, De Blasi adds. “The use of individuals skilled in laundering money has been a significant factor in the development of ransomware groups into an effective criminal business model. Although law enforcement agencies have not named the ransomware gang behind this operation, it is unclear what extent the operation will have on the group in question, or the wider ransomware ecosystem.”

Close cooperation between the involved law enforcement authorities, supported by Europol’s Joint Cybercrime Action Taskforce (J-CAT), led to the identification in Ukraine of these two individuals.

Six investigators from the French Gendarmerie, four from the U.S. FBI, a prosecutor from the French Prosecution Office of Paris, two specialists from Europol’s European Cybercrime Centre (EC3) and one INTERPOL officer were deployed to Ukraine to jointly conduct investigative measures with the National Police.

Europol supported the investigation from the onset, bringing together all the involved countries to establish a joint strategy. Its cybercrime specialists organized 12 coordination meetings to prepare for the action day, alongside providing analytical, malware, forensic and crypto-tracing support. Europol also set up a virtual command post to ensure seamless coordination between all the authorities involved.

While solitary operations will not provide remediation to the ransomware threat overnight, De Blasi says, “law enforcement operations can have a significant impact to targeted ransomware groups, often resulting in a suspension or disruption of their activity. These raids can achieve their greatest potential when paired with diplomatic efforts, innovative policies, and effective public-private partnerships.”

Tim Wade, Technical Director, CTO Team at Vectra, a San Jose, Calif.-based AI cybersecurity company, adds,When it comes to disincentivizing ransomware activities, there are two sides of the coin. First, there is the matter of how organizations can protect themselves, and what investments in people, process, and technology they're making to increase their resilience against the sort of disruption that ransomware represents. Coordinated law enforcement is the other half of that coin and these arrests signal that when it comes to recent proclamations about the unacceptability of ransomware there is some bite to the bark.”