Ransomware operators behind hundreds of attacks arrested in Ukraine

Europol has announced the arrest of two men in Ukraine, said to be members of a prolific ransomware operation that extorted victims with ransom demands ranging between €5 to €70 million.

Two arrests in Ukraine

The international law enforcement operation was conducted in coordination with the FBI, the French police (Gendarmerie Nationale), and the Ukrainian National Police (Національна поліція України). In total, the police officers performed seven property searches, seized $375,000 in cash, and two luxury vehicles that cost about $250,000. Furthermore, the investigators froze $1.3 million worth of crypto that is believed to be linked to ransom payments.

Coordinated announcements from Europol and the Ukrainian police describe the suspects as members of a top-tier group, but Europol told BleepingComputer that they could not name the group for operational reasons.

"Both these individuals were part of the same group which focused not only on ransom attacks, but also laundered criminal funds," Europol told BleepingComputer.

Both suspects were arrested in Kyiv City, with one of the individuals described as a 25-year old male "hacker."

The law enforcement agencies attribute approximately a hundred cyberattacks to the gang, starting in April 2020, that targeted North American and European entities. As for the modus operandi, it follows the typical network compromise, malware deployment, data exfiltration, and eventually the encryption of all local files.

The initial points of compromise are the victim's VPN tool or through emails to employees that drop payloads on their computers.

It is estimated that the total damages caused to the victimized organizations are $150 million.

The law enforcement operation took the combined efforts of six French investigators, four from the FBI, one Interpol officer, and two of Europol’s cybercrime specialists.

Disrupting ransomware operations

These arrests will likely not bring down an entire Ransomware-as-a-Service (RaaS) operation. However, law enforcement has been increasingly targeting individual members as a way to disrupt gang's activities.

Furthermore, Successful law enforcement operations tend to have chilling effects on the operation of illegal hacking groups as they spread fear and uncertainty among the other members, commonly leading to the group's shutdown or rebranding.

The announcement from Ukraine's cyber-police says the arrested individuals face up to twelve years in prison for violations of two articles of the criminal code in the country, one for unauthorized interference in computer networks and systems, and one for money laundering.

The Ukrainian police also arrested other individuals this year believed to be members of the Clop and Egregor ransomware operations.