In the latest action against cybercrime groups, 12 individuals were arrested on suspicion of launching ransomware attacks against critical infrastructure and large corporations that affected over 1,800 victims in 71 countries.

The arrests were made on 26 October, 2021 in Ukraine and Switzerland as part of an international law enforcement operation coordinated by Europol and Eurojust. During the raids the police seized 5 luxury vehicles, over $52,000 in cash, and a number of electronic devices that “are currently being forensically examined to secure evidence and identify new investigative leads”, Europol said in a press release.

The suspects have been linked to LockerGoga, MegaCortex and Dharma ransomware. The group is believed to be behind a LockerGoga ransomware attack on the Norway-based aluminum manufacturer Norsk Hydro in 2019, which crippled production across the company’s factories in two continents.

“The targeted suspects all had different roles in these professional, highly organised criminal organisations. Some of these criminals were dealing with the penetration effort, using multiple mechanisms to compromise IT networks, including brute force attacks, SQL injections, stolen credentials and phishing emails with malicious attachments,” Europol said.

After infiltrating the victim network, threat actors would move laterally, deploying malware such as Trickbot, or post-exploitation frameworks such as Cobalt Strike or PowerShell Empire to evade detection and gain further access.

Some of the suspects, the agency said, were in charge of laundering the ransom payments through mixing services.

“Most of these suspects are considered high-value targets because they are being investigated in multiple high-profile cases in different jurisdictions,” Europol said.