2 suspected ransomware operators arrested in Ukraine

Two suspected members of an unnamed ransomware gang have been arrested in Ukraine.

The coordinated operation involving the French National Gendarmerie, the Ukrainian National Police, the FBI, Europol and Interpol led to two arrests Tuesday, along with the seizure of $375,000 in cash. Additionally, the joint effort resulted in the takedown of luxury vehicles worth over 200,000 in euros, but more importantly, it led to the asset freezing of $1.3 million in cryptocurrencies, which are commonly used in ransom demands.

While the Europol statement, released Monday, referred to the suspects as "two prolific ransomware operators known for their extortionate ransom demands" it does not reveal the name of the ransomware gang. Europol did not respond to a request for comment at press time.

Europol estimated the demands between five and 70 million in euros. Those numbers have become common as ransom demands continue to increase. For example, REvil demanded $50 million during an attack against PC manufacturer Acer in March.

Though it is not clear which group the suspects are affiliated with, Europol provided extortion tactics employed by the operators who would threaten to leak stolen data if ransom demands were not met. Double extortion techniques have grown in popularity among several ransomware gangs.

The Cyberpolice of Ukraine released its own statement Monday referring to one suspect as a "25-year-old hacker." In total, the Ukrainian police said the hacker "attacked more than 100 foreign companies in North America and Europe." Cited sectors include energy, tourism and equipment developers.

"The virus software got in the equipment of corporations by hacking the program for remote work of the user with the computer (server) and also through spam-mailing on corporate e-mail boxes of malicious content," the statement said, according to a translation by Google. "The damage caused to the victims reaches $150M."

Images and a video taken at the bust show stacks of U.S. currency, Apple laptops, a PC tower, and smartphones. Further details by Europol confirmed the Ukrainian police's geography scope, and also revealed when ransomware operations began.

"The organized crime group is suspected of having committed a string of targeted attacks against very large industrial groups in Europe and North America from April 2020 onwards," the Europol statement said.

Europol press officer Claire Georges shared one reason the ransomware gang has not yet been named, suggesting the arrests are part of an ongoing operation.

"To all the journalists asking why @Europol is not naming the #ransomware gang -- If the info is not included in our press release, there's a (n operational) reason why -- … believe me, every word in our PRs is carefully chosen/negotiated!" Georges wrote on Twitter.

Europol credited itself for the joint takedown. According to the statement, its cybercrime specialists organized 12 meetings prior to Sept. 28 when the bust occurred, alongside "providing analytical, malware, forensic and crypto-tracing support." Europol said it also set up a virtual command post to coordinate between all the authorities involved. 

"Europol supported the investigation from the onset, bringing together all the involved countries to establish a joint strategy," the Europol statement said.

Joint law enforcement actions, both global and local efforts, have increased over the year as attacks ramped up in frequency. In January, the infrastructure of the infamous botnet Emotet was taken down during an international operation coordinated by Europol and Eurojust. Two Ukraine citizens were also suspects in that case.

Ukraine was the site of two other cyber-related, law enforcement coordinated arrests in 2021 as well.

In February, investigators from France's Central Directorate of the Judicial Police and the Ukrainian law enforcement, with support from Europol, traced ransoms paid in Bitcoin to suspects in Ukraine. They were suspected of being affiliates of the Egregor ransomware gang, known for double extortion tactics.

Then in June, six suspected Clop ransomware gang members were busted with cars, computer equipment and approximately $185,000. The sting was a result of a joint law enforcement operation between Ukraine, the United States and South Korea.