Getty Images/iStockphoto

Europol 'targets' 12 suspects in ransomware bust

Europol has not said whether the suspected ransomware actors were arrested or detained, but the 12 were allegedly involved in attacks that affected 1,800 victims in 71 countries.

Europol announced a coordinated international law enforcement operation against a dozen suspected ransomware threat actors, but questions remain regarding who the suspects are and whether they've been arrested.

Twelve alleged ransomware threat actors were "targeted" in an international operation coordinated by Europol and Eurojust, Europol announced Friday. The suspects are accused of being involved in ransomware attacks against critical infrastructure.

Europol, which was involved in a coordinated law enforcement operation against two suspected Ukrainian ransomware actors earlier this month, said the suspects were involved in ransomware attacks that "affected over 1,800 victims in 71 countries." In addition, Europol said that all the suspects are known for "specifically targeting" large businesses.

Authorities from Norway, France, the Netherlands, Ukraine, the U.K., Germany, Switzerland and the United States were involved in the operation, in addition to Europol and Eurojust. Europol listed LockerGoga, MegaCortex and Dharma ransomware as those used by the suspects, as well as other unnamed variants.

LockerGoga was the ransomware used in the 2019 Norsk Hydro ransomware attack. Kripos, Norway's National Criminal Investigation Service, said in a separate press release that Hydro was among the 1,800 victims.

Europol ransomware
Europol said law enforcement agencies conducted raids in Ukraine and Switzerland and seized five luxury vehicles, $52,000 in U.S. currency and various electronic devices.

Europol did not specify in the press release whether targets were arrested or detained, but it said that "actions" took place on Oct. 26 in Ukraine and Switzerland. More than $52,000 in U.S. currency was seized in the operation, as well as five luxury vehicles and a number of electronic devices currently being scanned for evidence.

"Most of these suspects are considered high-value targets because they are being investigated in multiple high-profile cases in different jurisdictions," the Europol press release read.

A Europol spokesperson told SearchSecurity that "there are ongoing judicial procedures" against the suspects, and advised contacting Ukrainian authorities for more details. SearchSecurity asked Ukrainian police for additional clarification, but the agency has not responded at press time.

The release also didn't specify what ransomware groups the suspects were affiliated with or what capacity -- only that they "all had different roles" in "professional, highly organized criminal organizations." Some were accused of penetrating victim networks and moving laterally within them, while others were suspected of deploying malware or laundering ransom payments. The suspects' relationships to each other are also unknown.

"Some of these criminals were dealing with the penetration effort, using multiple mechanisms to compromise IT networks, including brute-force attacks, SQL injections, stolen credentials and phishing emails with malicious attachments," the press release said. "Once on the network, some of these cyber actors would focus on moving laterally, deploying malware such as Trickbot, or post-exploitation frameworks such as Cobalt Strike or PowerShell Empire to stay undetected and gain further access."

The Europol spokesperson told SearchSecurity that the suspects were independent ransomware operators but "with close ties to each other," underpinned by ransomware as a service.

Ukrainian police released footage of a raid related to the operation on YouTube Friday; one suspect is seen being detained during the search. According to the video's description, the suspects face up to 12 years in prison.

In addition to the two operations this month, Europol and Eurojust coordinated an international law enforcement operation in January to disrupt the infamous Emotet botnet.

Alexander Culafi is a writer, journalist and podcaster based in Boston.

Next Steps

Europol, Ukraine police arrest suspected ransomware ringleader

Dig Deeper on Information security laws, investigations and ethics

Enterprise Desktop
  • Understanding how GPOs and Intune interact

    Group Policy and Microsoft Intune are both mature device management technologies with enterprise use cases. IT should know how to...

  • Comparing MSI vs. MSIX

    While MSI was the preferred method for distributing enterprise applications for decades, the MSIX format promises to improve upon...

  • How to install MSIX and msixbundle

    IT admins should know that one of the simplest ways to deploy Windows applications across a fleet of managed desktops is with an ...

Cloud Computing