Connect with us

Hi, what are you looking for?



Police Dismantle Major Ukrainian Ransomware Operation

Police from several countries have dismantled a major Ukraine-based ransomware operation and arrested its alleged ringleader.

Law enforcement agencies in seven countries teamed up with Europol and Eurojust to dismantle a major Ukraine-based ransomware operation.

According to Europol, 30 properties were searched on November 21 in four regions of Ukraine, resulting in the arrest of a 32-year-old who is allegedly the operation’s ringleader, as well as four key accomplices. 

This law enforcement activity is part of an operation that resulted in the arrests of a dozen individuals back in 2021. 

The cybercrime operation targeted thousands of entities across 71 countries. Europol said the malicious hackers disrupted the operations of large corporations, deploying MegaCortex, Hive, LockerGoga and Dharma ransomware in their attacks.

Some of the suspects were involved in hacking into the networks of the targeted organizations, while others are accused of laundering the ransom payments made by victims. 

The use of multiple file-encrypting ransomware families and the roles of the suspects suggest that they were ransomware-as-a-service affiliates.

The cybercriminals used SQL injections, phishing emails, and brute force attacks to gain access to networks. They then deployed malware such as TrickBot and tools such as Cobalt Strike and PowerShell Empire to gain access to other systems. 

Authorities said more than 250 servers belonging to major organizations were encrypted, which resulted in losses totaling hundreds of millions of dollars. 

Advertisement. Scroll to continue reading.

“The individuals under investigation appear to have served as affiliates of multiple ransomware services over time and/or in supporting functions to enable multiple groups,”  said Kimberly Goody, Mandiant Head of Cybercrime Analysis, Google Cloud.

“Threat actors commonly partner with different actors over time to perform certain aspects of a compromise, such as initial access or money laundering, which is likely the case of at least some of these suspects. Breaking one link in their organizational cycle can cause significant – albeit temporary – disruptions to these groups, as identifying, vetting and trusting new partners can be challenging in the criminal world,” Goody added.

“LockerGoga and Megacortex were notably some of the earlier ransomware variants in use when the cyber criminal community began shifting away from mass distributed ransomware and point-of-sale operations to post-compromise ransomware deployment targeting corporations.

“The ransomware variants allegedly associated with these actors have hit organizations in healthcare and other critical industries. Some of the TTPs described in the press release align with activity we have historically attributed to a FIN6-affiliated actor including the use of Trickbot and Lockergoga, however, given the complexities and interdependence of the cyber crime ecosystem we cannot confirm at this time whether this law enforcement action is associated with this threat actor,” Goody added.

*updated with comments from Mandiant  

Related: Two ‘Prolific’ Ransomware Operators Arrested in Ukraine

Related: Russian National Arrested in Canada Over LockBit Ransomware Attacks

Related: Ransomware Group That Targeted Over 50 Companies Dismantled in Ukraine

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content

Management & Strategy

Anna Tutt, CMO of Oort, shares her experiences and perspectives on how we can accelerate growth of women in cybersecurity.


The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.


A new CISA pilot program to warn critical infrastructure organizations if their systems are unpatched against vulnerabilities exploited in ransomware attacks.

Cybersecurity Funding

B2B payment security provider NsKnox raised $17 million in a new funding round that brings the total raised by the company to $35.6 million.

Cybersecurity Funding

Silk Security raised $12.5 million in seed funding and is on a mission to break down the silos between security and development with an...


ICS Patch Tuesday: Siemens and Schneider Electric have published more than a dozen advisories addressing over 200 vulnerabilities.


Exploitation of a critical vulnerability (CVE-2023-46747) in F5’s  BIG-IP product started less than five days after public disclosure and PoC exploit code was published.


Google has suspended the Chinese shopping app Pinduoduo on its app store after malware was discovered in versions of the app from other sources.