Europol announced a coordinated international law enforcement operation against a dozen suspected ransomware threat actors, but questions remain regarding who the suspects are and whether they've been arrested.
Twelve alleged ransomware threat actors were "targeted" in an international operation coordinated by Europol and Eurojust, Europol announced Friday. The suspects are accused of being involved in ransomware attacks against critical infrastructure.
Europol, which was involved in a coordinated law enforcement operation against two suspected Ukrainian ransomware actors earlier this month, said the suspects were involved in ransomware attacks that "affected over 1,800 victims in 71 countries." In addition, Europol said that all the suspects are known for "specifically targeting" large businesses.
Authorities from Norway, France, the Netherlands, Ukraine, the U.K., Germany, Switzerland and the United States were involved in the operation, in addition to Europol and Eurojust. Europol listed LockerGoga, MegaCortex and Dharma ransomware as those used by the suspects, as well as other unnamed variants.
LockerGoga was the ransomware used in the 2019 Norsk Hydro ransomware attack. Kripos, Norway's National Criminal Investigation Service, said in a separate press release that Hydro was among the 1,800 victims.
Europol did not specify in the press release whether targets were arrested or detained, but it said that "actions" took place on Oct. 26 in Ukraine and Switzerland. More than $52,000 in U.S. currency was seized in the operation, as well as five luxury vehicles and a number of electronic devices currently being scanned for evidence.
"Most of these suspects are considered high-value targets because they are being investigated in multiple high-profile cases in different jurisdictions," the Europol press release read.
A Europol spokesperson told SearchSecurity that "there are ongoing judicial procedures" against the suspects, and advised contacting Ukrainian authorities for more details. SearchSecurity asked Ukrainian police for additional clarification, but the agency has not responded at press time.
The release also didn't specify what ransomware groups the suspects were affiliated with or what capacity -- only that they "all had different roles" in "professional, highly organized criminal organizations." Some were accused of penetrating victim networks and moving laterally within them, while others were suspected of deploying malware or laundering ransom payments. The suspects' relationships to each other are also unknown.
"Some of these criminals were dealing with the penetration effort, using multiple mechanisms to compromise IT networks, including brute-force attacks, SQL injections, stolen credentials and phishing emails with malicious attachments," the press release said. "Once on the network, some of these cyber actors would focus on moving laterally, deploying malware such as Trickbot, or post-exploitation frameworks such as Cobalt Strike or PowerShell Empire to stay undetected and gain further access."
The Europol spokesperson told SearchSecurity that the suspects were independent ransomware operators but "with close ties to each other," underpinned by ransomware as a service.
Ukrainian police released footage of a raid related to the operation on YouTube Friday; one suspect is seen being detained during the search. According to the video's description, the suspects face up to 12 years in prison.
In addition to the two operations this month, Europol and Eurojust coordinated an international law enforcement operation in January to disrupt the infamous Emotet botnet.
Alexander Culafi is a writer, journalist and podcaster based in Boston.