Law enforcement agencies in seven countries teamed up with Europol and Eurojust to dismantle a major Ukraine-based ransomware operation.
According to Europol, 30 properties were searched on November 21 in four regions of Ukraine, resulting in the arrest of a 32-year-old who is allegedly the operation’s ringleader, as well as four key accomplices.
This law enforcement activity is part of an operation that resulted in the arrests of a dozen individuals back in 2021.
The cybercrime operation targeted thousands of entities across 71 countries. Europol said the malicious hackers disrupted the operations of large corporations, deploying MegaCortex, Hive, LockerGoga and Dharma ransomware in their attacks.
Some of the suspects were involved in hacking into the networks of the targeted organizations, while others are accused of laundering the ransom payments made by victims.
The use of multiple file-encrypting ransomware families and the roles of the suspects suggest that they were ransomware-as-a-service affiliates.
The cybercriminals used SQL injections, phishing emails, and brute force attacks to gain access to networks. They then deployed malware such as TrickBot and tools such as Cobalt Strike and PowerShell Empire to gain access to other systems.
Authorities said more than 250 servers belonging to major organizations were encrypted, which resulted in losses totaling hundreds of millions of dollars.
“The individuals under investigation appear to have served as affiliates of multiple ransomware services over time and/or in supporting functions to enable multiple groups,” said Kimberly Goody, Mandiant Head of Cybercrime Analysis, Google Cloud.
“Threat actors commonly partner with different actors over time to perform certain aspects of a compromise, such as initial access or money laundering, which is likely the case of at least some of these suspects. Breaking one link in their organizational cycle can cause significant – albeit temporary – disruptions to these groups, as identifying, vetting and trusting new partners can be challenging in the criminal world,” Goody added.
“LockerGoga and Megacortex were notably some of the earlier ransomware variants in use when the cyber criminal community began shifting away from mass distributed ransomware and point-of-sale operations to post-compromise ransomware deployment targeting corporations.
“The ransomware variants allegedly associated with these actors have hit organizations in healthcare and other critical industries. Some of the TTPs described in the press release align with activity we have historically attributed to a FIN6-affiliated actor including the use of Trickbot and Lockergoga, however, given the complexities and interdependence of the cyber crime ecosystem we cannot confirm at this time whether this law enforcement action is associated with this threat actor,” Goody added.
*updated with comments from Mandiant