With judicial support from Eurojust, authorities in France, Germany, Romania and Switzerland have taken action against an organised crime group (OCG) which was involved in a considerable number of ransomware attacks across Europe. During an action day, four places in Romania were searched. Two suspects were arrested and multiple items seized. The estimated profits of the OCG amounted to several million euros.
Starting in early 2019, the IT infrastructure of a significant number of companies and institutions in France, Germany and Romania was compromised by malware, rendering their data inaccessible unless the victims paid a ransom in cryptocurrencies to decrypt the compromised data. According to the investigators, the suspects were part of an international crime group behind the attacks, operating with Ransomware as a Service (RaaS). In such an illegal business model, the perpetrators rent from ransomware developers the necessary malware to launch attacks and encrypt computer systems, subsequently obtaining illicit profits from victims who pay for the safe recovery of their encrypted data.
The suspects made use of the GandCrab and REvil/Sodinokibi ‘ransomware families’, two of the most prolific tools in this field. Their attacks affected many victims throughout the world in both the public and private sectors, including companies, municipalities, hospitals, law enforcement, emergency services, schools, colleges and universities. They also targeted the health sector during the COVID-19 pandemic, taking advantage of the global crisis to extort victims.
The French Desk at Eurojust organised four coordination meetings in this case to discuss the respective investigations and establish cooperation strategies. To facilitate the cooperation, a joint investigation team (JIT) between the French, German and Romanian authorities was set up with Eurojust support. Switzerland is due to join the JIT at a later date. Europol facilitated the information exchange and provided operational analytical support. The US authorities provided additional support.
The following authorities took part in this operation:
- France: Court of Paris, Counter-Cybercrime Unit, BL2C (Anti-Cybercrime Brigade) – Préfecture de Police de Paris
- Germany: Public Prosecutor’s Office Stuttgart, State Office of Criminal Investigation of Baden-Württemberg
- Romania: Prosecutor’s Office of the High Court of Cassation and Justice – Directorate for Investigating Organised Crime and Terrorism – Central Structure, General Inspectorate of Police – Cybercrime Police Unit, Brigade for Combating Organised Crime Constanta, Directorate for Special Operations within the General Inspectorate of the Romanian Police and Special Brigade for Interventions of the Romanian Gendarmerie
- Switzerland: Public Prosecutor’s Office II of the Canton of Zürich, Cantonal Police Zürich