Europol and its international law enforcement partners have arrested five individuals who authorities accuse of involvement in a string of ransomware attacks affecting more than 1,800 victims worldwide.
The arrested individuals, which include the criminal gang’s ringleader, 32, and four of his “most active” accomplices, were arrested following a series of raids at 30 properties across Ukraine last week, Europol said in a statement on Tuesday. The suspects were not named.
More than 20 investigators from Norway, France, Germany and the United States helped the Ukrainian National Police with the investigation in Kyiv, while Europol also set up a virtual command center in the Netherlands to process the data seized during the searches.
According to a separate announcement from Ukraine’s Cyber Police, law enforcement officials seized computer equipment, cars, bank and phone SIM cards, and dozens of items of electronic media.
The police also seized cryptocurrency assets, including almost four million hryvnias (around $110,000), and other alleged evidence of illegal activities.
The arrests are the latest in a years-long investigation that in 2021 saw 12 individuals arrested in raids in Ukraine and Switzerland. Europol said in its announcement Tuesday that its earlier actions subsequently “facilitated the identification of the suspects targeted during the action last week in Kyiv.”
The five individuals arrested last week stand accused of encrypting over 250 servers belonging to large corporations, and successfully extorting “several hundred million euros” from its victims.
The perpetrators are believed to have played different roles in the criminal network: Some used brute-force attacks and stolen credentials to break into a victim’s network; some used malware, such as Trickbot, to remain undetected and gain further access; and others are suspected of overseeing the laundering of cryptocurrency payments made by victims to regain access to their stolen files.
Europol accused the hackers of “wreaking havoc” on targeted organizations. One of the ransomware variants the group used was LockerGoga, the same kind of malware used in the cyberattack against Norwegian aluminum processor Norsk Hydro in March 2019. The attackers also deployed MegaCortex, Hive and Dharma ransomware, according to Europol’s announcement.
Europol’s investigation into this criminal organization has also allowed Swiss authorities, in collaboration with Bitdefender and the European Union’s No More Ransom project, to develop decryption tools for the LockerGoga and MegaCortex ransomware variants. These tools allow victims to recover their stolen files without having to pay a ransom.