Judicial and law enforcement authorities from seven different countries have joined forces in an action against a criminal network responsible for significant ransomware attacks across the world. These attacks are believed to have affected over 1,800 victims in 71 countries. The perpetrators targeted large corporations, effectively bringing their business to a standstill and causing losses of at least several hundred millions of euros.
A recent operation supported by Eurojust and Europol led to the arrest of the ringleader and the detention of four suspects in Ukraine. A total of 30 places were searched and over a hundred digital equipment tools were seized.
More than 20 investigators from Norway, France, Germany and the United States were deployed to Kyiv to assist the Ukrainian authorities. This latest action follows a first round of arrests in 2021 in the framework of the same investigation.
The perpetrators are believed to have played different roles in the criminal network. Some were involved in the infiltration attempts, using multiple mechanisms to compromise IT networks, including brute force attacks, so-called SQL injection techniques to attack data applications, stolen credentials and phishing emails with malicious attachments. Once inside the network, some of these cyber actors used malware such as Trickbot, or post-exploitation frameworks such as Cobalt Strike or PowerShell Empire to remain undetected and gain further access.
After remaining undetected in the compromised systems, sometimes for months, the criminals would deploy different types of ransomware, such as LockerGoga, MegaCortex, HIVE or Dharma. A ransom note was then presented to the victim to pay the attackers in bitcoin in exchange for decryption keys.
International cooperation
Initiated by the French authorities, a joint investigation team (JIT) was set up in September 2019 between Norway, France, the United Kingdom and Ukraine with financial support from Eurojust and assistance from both agencies. Since them, the partners in the JIT have been working closely together, in parallel with independent investigations by the Dutch, German, Swiss and US authorities to uncover the true magnitude and complexity of the criminal activities of these cyber actors and to establish a joint strategy.
Eurojust has hosted 12 coordination meetings to facilitate the communication and judicial cooperation between the authorities involved.
From the onset of the investigation, Europol’s European Cybercrime Centre (EC3) has been hosting operational meetings, providing digital forensic, cryptocurrency and malware support and facilitating the information exchange in the framework of the Joint Cybercrime Action Taskforce (J-CAT) hosted at Europol’s headquarters. The investigation has benefited from funding from the European Multidisciplinary Platform Against Criminal Threats (EMPACT).
The following authorities have been involved:
- France: Public Prosecutor’s Office of Paris; National Police (Police Nationale – OCLCTIC)
- Germany: Public Prosecutor’s Office of Stuttgart; Police Headquarters Reutlingen (Polizeipräsidium Reutlingen) – CID Esslingen
- Netherlands: National Public Prosecution Service (Landelijk Parket, Openbaar Ministerie); National Police (Politie)
- Norway: National Criminal Investigation Service (Kripos)
- Switzerland: Public Prosecutor’s Office II of the Canton of Zürich and Cantonal Police of Zürich
- Ukraine: Prosecutor General’s Office (Офіс Генерального прокурора), National Police of Ukraine (Національна поліція України)
- United States: U.S. Department of Justice’s Computer Crime and Intellectual Property Section; U.S. Attorney’s Office for the Eastern District of New York; U.S. Secret Service (USSS); Federal Bureau of Investigation (FBI)