Ransomware Group Taken Down by Law Enforcement Agencies

Law enforcement agencies from seven countries detained the primary members of a ransomware group connected to attacks against companies in 71 countries in Ukraine in collaboration with Europol and Eurojust. Cybercriminals crippled large companies’ operations with ransomware, including LockerGoga, MegaCortex, HIVE, and Dharma. Responsibilities within the criminal network varied greatly: some individuals infiltrated IT networks, while others assisted in laundering Bitcoin payments received by victims to decrypt their files. The threat operators acquired access to their targets’ networks by utilizing brute force and SQL injection attacks and phishing emails with malicious attachments to steal user login info. Once inside the employed malware, including TrickBot, Cobalt Strike, PowerShell Empire to travel laterally and infiltrate more systems before launching previously distributed ransomware payloads. According to the research, the organized group of ransomware affiliates encrypted over 250 servers of large companies, resulting in losses of several hundred million euros.

Ransomware Group in Ukraine Arrested

Coordination raids at 30 places in Kyiv, Cherkasy, Rivne, and Vinnytsia on November 21^st resulted in the arrest of the group’s 32-year-old mastermind and seizing the four collaborators. Over 20 Norwegian, French, German, and American investigators assisted the Ukrainian National Police in their probe in Kyiv. Additionally, Europol established a virtual command center in the Netherlands to analyze data acquired during house searches. Law enforcement officers, with the support of the TOR special unit, conducted over 30 authorized searches in the suspects’ premises and cars in Kyiv, Cherkasy, Rivine, and Vinnytsia region, according to the National Police of Ukraine’s Department of Cyber Police. Other evidence of illegal activities was seized including computer equipment, cars, bank, SIM cards, “draft” records, dozens of electronic media, and about 4 million hryvnias and cryptocurrency assets. The operation follows additional arrests made in 2021 as part of the same law enforcement operations, in which authorities arrested 12 people connected to ransomware attacks on 1,800 victims in 71 countries.

The threat operators used LockerGoga, MegaCortex, and Dharma ransomware, according to the probe two years ago. In their attacks, the threat actors used malware including TrickBot, and post-exploitation including Cobalt Strike. The efforts at Europol and Norwegian investigations focused on examining data from devices confiscated in Ukraine in 2021, assisting in the identification of more suspects arrested one week ago in Kyiv. The international police operation was launched by French authorities in September 2019 with the goal of locating and prosecuting threat actors in Ukraine with the assistance of a joint investigation team (JIT) comprised of Norway, France, the United Kingdom, and Ukraine, with financial support from Eurojust and collaboration with Dutch, German, Swiss, and US authorities. Among the collaborating law enforcement agencies are:

• Norway: National Criminal Investigation Service (Kripos)
• France: Public Prosecutor’s Office of Paris, National Police (Police Nationale – OCLCTIC)
• Netherlands: National Police (Politie), National Public Prosecution Service (Landelijk Parket, Openbaar Ministerie)
• Ukraine: Prosecutor General’s Office (Офіс Генерального прокурора), National Police of Ukraine (Національна поліція України)
• Germany: Public Prosecutor’s Office of Stuttgart, Police Headquarters Reutlingen (Polizeipräsidium Reutlingen) CID Esslingen
• Switzerland: Swiss Federal Office of Police (fedpol), Polizei Basel-Landschaft, Public Prosecutor’s Office of the canton of Zurich, Zurich Cantonal Police
• United States: United States Secret Service (USSS), Federal Bureau of Investigation (FBI)
• Europol: European Cybercrime Centre (EC3)
• Eurojust 

With the most recent takedown of a ransomware group, it’s important for companies of any size to notify their local law enforcement of any potential cyberattack and ransomware attack. Additionally, companies should remain alert to the current threat landscape and regularly back up their data networks. At SpearTip, our engineers and analysts work continuously monitoring companies’ networks’ security infrastructure for potential ransomware threats at our 24/7/365 Security Operations Center and are ready to respond to incidents at a moment’s notice. Throughout the breach investigations, our Incident Response team provides clear and concise information accessible to all stakeholders and for all manner of cyber incidents. Our Digital Forensics investigations are led by seasoned industry professionals who meticulously gather, handle, and catalog data following a breach.  SpearTip’s forensics professionals reconstruct the lifecycle of an incident, securing all relevant and vital data from every affected endpoint and storage device for evidence rebuilding or courtroom testimony. Our ShadowSpear Platform, an integrable managed detection and response tool, integrates with IT and security technology providers to enable the correlation of events from firewalls and network devices on a single pane of glass.

If your company is experiencing a breach, call our Security Operations Center at 833.997.7327 to speak directly with an engineer.