Law enforcement dismembers major ransomware operation in Ukraine

In a joint operation undertaken with law enforcement agencies from across Europe and the US, the Ukrainian authorities have taken five major players in the ransomware ecosystem into custody, including an alleged ringleader.

The accused men were arrested on 21 November following coordinated raids on 30 properties in Kyiv, Cherkasy, Rivne and Vinnytsia. They are alleged to have deployed the LockerGoga, MegaCortex, Hive and Dharma ransomware lockers on the networks of corporate victims in over 70 countries.

European Union (EU) agency Europol, which coordinated the operation, said the arrests came at a critical time as Russia’s war on Ukraine enters its second winter. It’s also the culmination of a multi-year effort dating back nearly five years.

“Initiated by the French authorities, a joint investigation team (JIT) was set up in September 2019 between Norway, France, the United Kingdom and Ukraine, with financial support from Eurojust and assistance from both Agencies,” said Europol.

“The partners in the JIT have since been working closely together, in parallel with the independent investigations of the Dutch, German, Swiss and US authorities, to locate the threat actors in Ukraine and bring them to justice,” the agency said. “This international cooperation has remained steadfast and uninterrupted, persisting even amid the challenges posed by the ongoing war in Ukraine.”

Following a previous round of arrests made in 2021, additional forensic analysis then enabled the consortium to not only identify and target the suspects arrested last week, but also to work with partners at NoMoreRansom and Bitdefender to develop free decryptors for the LockerGoga and MegaCortex ransomwares.

Those arrested had a range of responsibilities in the overall ecosystem, with some thought to have been actively involved in accessing and compromising their victims’ systems using techniques such as brute force attacks, SQL injection, and phishing and social engineering tactics.

They then used tools such as the TrickBot malware, red teaming framework Cobalt Strike and PowerShell Empire to establish persistence and conduct their ransomware attacks. Others are suspected of taking part in laundering the cryptocurrency payments made by some of their victims.

The investigation determined that the perpetrators encrypted over 250 servers belonging to large corporations, resulting in losses exceeding several hundreds of millions of euros.

“Arrests of individuals associated with high-profile ransomware incidents send a clear message that there will be consequences for these attacks,” said Mandiant head of cyber crime analysis Kimberly Goody. “The individuals under investigation appear to have served as affiliates of multiple ransomware services over time and/or in supporting functions to enable multiple groups.

“Threat actors commonly partner with different actors over time to perform certain aspects of a compromise, such as initial access or money laundering, which is likely the case of at least some of these suspects,” she said. “Breaking one link in their organisational cycle can cause significant, albeit temporary, disruptions to these groups, as identifying, vetting and trusting new partners can be challenging in the criminal world.”

Goody explained that both the LockerGoga and MegaCortex were some of the earlier ransomware variants already in use when the cyber criminal ecosystem began to shift away from mass-distributed ransomware operations to post-compromise deployment on a targeted basis.

She additionally noted that some of the tactics, techniques and procedures outlined by Europol align with activity Mandiant has attributed to an actor affiliated with the group tracked as FIN6, which has historically been associated with Magecart retail attacks, and other high-profile ransomwares including Maze and Ryuk – however, given the complexities of the cyber crime ecosystem and the difficult nature of attribution, a link to the latest arrests cannot be made with confidence.