An international law enforcement operation in Ukraine last week led to the arrest of a ransomware affiliate group's alleged ringleader and four accomplices.
Europol announced the coordinated effort in a press release Tuesday that shed light on the group's tactics and significant damages it caused to victim organizations. The operation occurred on Nov. 21 and included authorities from Europol, Ukraine, Norway, Switzerland, France, Germany and the U.S. Together, they conducted more than 30 searches throughout Ukraine and made five arrests, including a 32-year-old unnamed ringleader.
Europol revealed that the group formed in 2018 and targeted large corporations with LockerGoga, MegaCortex, Hive and Dharma ransomware. During the investigation led by Europol, authorities observed the use of brute-force attacks, SQL injections and social engineering techniques. By encrypting victim machines and deploying effective tools, the ransomware group essentially brought businesses "to a standstill," Europol said.
Recent high-profile ransomware attacks have demonstrated how dangerous those techniques are to victim organizations. While Tuesday's press release did not name Clop ransomware as one of the observed strains, the Clop ransomware group leveraged SQL injections in its widespread attack on Progress Software's MoveIt Transfer product.
Meanwhile, social engineering campaigns led to total account takeovers against Okta customers, including two Las Vegas casinos, in October. The attacks were attributed to Scattered Spider, and vendors expressed frustrations in a Reuters report over the FBI's lack of arrests in the MGM Resorts and Caesars Entertainment attacks.
Europol said the ransomware suspects arrested Tuesday used phishing emails to steal usernames and passwords. More alarmingly, operators evaded detection and gained additional network access by using TrickBot malware, Cobalt Strike and PowerShell Empire. The tools enabled the threat actors to compromise as many systems in the victim organizations' environment as possible prior to ransomware deployment.
"The individuals under investigation are believed to be part of a network responsible for a series of high-profile ransomware attacks against organisations in 71 countries," Europol wrote in the press release. "The investigation determined that the perpetrators encrypted over 250 servers belonging to large corporations, resulting in losses exceeding several hundreds of millions of euros."
Europol said the joint operation was first initiated by French authorities in 2019, along with investigators from Norway, Ukraine and the U.K., with support from Europol and Eurojust. Dutch, German, Swiss and U.S. authorities provided additional support through independent investigations. "This international cooperation has remained steadfast and uninterrupted, persisting even amid the challenges posed by the ongoing war in Ukraine," Europol said.
Victims suffer social engineering attacks
Ukraine's National Police provided more details in a separate blog post Tuesday, emphasizing the ransomware group's use of self-developed malicious software and "several encryption viruses." More importantly, it expanded on the social engineering campaigns, a technique consistently leveraged by dangerous groups.
"First of all, the attackers hacked the accounts of the employees of the victim company, using information from open sources and social engineering methods," Ukraine's National Police wrote in the blog post, here translated to English via Google Translate.
It appears that the methods were effective. Police said the suspects caused more than $82 million in losses for victim organizations over several years. One of those victims was one of the Netherlands' leading chemical companies.
While the victim organization remained unnamed, police said the alleged ransomware group demanded 450 bitcoin be sent to a cryptocurrency wallet, which is common among ransomware groups for payment. During the arrests, law enforcement seized computer equipment, cars, bank and SIM cards, and almost 4 million hryvnias -- equivalent to $110,000 -- and cryptocurrency assets.
The arrests marked the latest bust in the ongoing ransomware fight. In January, the FBI announced that it had seized Hive ransomware servers. Six months earlier, the government agency had infiltrated Hive's networks and captured decryption keys to help victim organizations recover from an attack without giving in to demands. In Tuesday's press release, Europol said decryption tools for LockerGoga and MegaCortex ransomware variants are now available.
Jon DiMaggio, chief security strategist at threat intelligence vendor Analyst1, said Tuesday's arrests could have a substantial effect in hindering ransomware activity -- especially if the suspects were behind the attack against Oslo-based Norsk Hydro in 2020, which involved LockerGoga ransomware, one strain mentioned in the bust. However, he said the announcement lacks key details on the suspects to determine how effective the operation will be in the long run.
"The issue I have is there is no context -- is this an affiliate, a core member or money launderers? If the arrests were from the group's core members, it will be far more significant. So, I am waiting for details to come out. Either way, it is a good thing," DiMaggio said in an email to TechTarget Editorial.
In another statement to TechTarget Editorial, Kimberly Goody, Mandiant's head of cybercrime analysis, agreed that the bust could disrupt ransomware activity. She surmised that the suspects might be initial access brokers or money launderers, which play vital roles in the evolving threat landscape.
"LockerGoga and MegaCortex were notably some of the earlier ransomware variants in use when the cybercriminal community began shifting away from mass distributed ransomware and point-of-sale operations to post-compromise ransomware deployment targeting organizations," Goody said.
The ransomware variants named in Tuesday's press release were associated with attacks on healthcare and other critical industries, she added. The press release also detailed tactics, techniques and procedures that align with activity Mandiant has attributed to the financially motivated Fin6-affiliated actor that's been active since 2014. That includes the use of TrickBot and LockerGoga.
"However, given the complexities and interdependence of the cybercrime ecosystem, we cannot confirm at this time whether this law enforcement action is associated with this threat actor," Goody said.
Arielle Waldman is a Boston-based reporter covering enterprise security news.