An international law enforcement operation involving Ukrainian cyberpolice, Europol, Eurojust and law enforcement agencies from six countries has taken down a prolific ransomware gang that targeted hundreds of organizations in 71 countries across the world.
The group specifically targeted large corporations deploying LockerGoga, MegaCortex, HIVE, Dharma and other ransomware to encrypt victims’ servers, Europol said.
Active since 2018, the group has been targeting major businesses in France, Norway, Germany, the Netherlands, Canada, and the US. The ransomware actors gained access to the victims’ networks by hacking employees’ accounts using social engineering techniques. The compromised accounts were used to deploy malicious code within the target environment.
After gaining access to the network, the attackers used tools like the TrickBot malware, Cobalt Strike, and PowerShell Empire to move laterally and compromise other systems before triggering previously deployed ransomware payloads.
The hackers then encrypted the company’s servers and demanded payment for restoring the data, Ukraine’s police said in a press release.
In one instance, the attackers demanded a 450 Bitcoin ransom from a major chemical company in the Netherlands. Since the start of the operation, the group encrypted over 1000 servers belonging to large corporations, causing over $82 million in losses, the agency said.
The police conducted searches in the regions of Kyiv, Cherkasy, Rivne and Vinnytsia, and arrested five key members of the ransomware gang, including its 32-year-old leader. The suspects allegedly developed and updated the malware, carried out cyberattacks and helped launder ransomware payments.
This law enforcement operation follows the November 2021 arrests of 12 individuals in Ukraine and Switzerland linked to ransomware attacks against critical infrastructure and large corporations that affected over 1,800 victims in 71 countries.