12 people have been detained as part of an international law enforcement operation for orchestrating ransomware attacks on critical infrastructure and large organizations that hit over 1,800 victims across 71 countries since 2019, marking the latest action against cybercrime groups.
The arrests were made earlier this week on October 26 in Ukraine and Switzerland, resulting in the seizure of cash worth $52,000, five luxury vehicles, and a number of electronic devices that the agencies said are being examined to uncover new forensic evidence of their malicious activities and pursue new investigative leads.
The suspects have been primarily linked to LockerGoga, MegaCortex, and Dharma ransomware, in addition to being in charge of laundering the ransom payments by funneling the ill-gotten Bitcoin proceeds through mixing services and cashing them out.
“The targeted suspects all had different roles in these professional, highly organised criminal organisations,” Europol said in a press release. “Some of these criminals were dealing with the penetration effort, using multiple mechanisms to compromise IT networks, including brute force attacks, SQL injections, stolen credentials and phishing emails with malicious attachments.”
Following a successful break-in, the suspects are said to have focused on lateral movement within the compromised networks by deploying malware such as TrickBot or post-exploitation frameworks like Cobalt Strike or PowerShell Empire with the goal of staying undetected for extended periods of time and gaining entrenched access, leveraging the opportunity to probe for more weaknesses in the IT networks before installing ransomware.
The arrested individuals are also believed to have carried out the ransomware attack on Norwegian aluminum processor Norsk Hydro in March 2019, the country’s National Criminal Investigation Service said in a separate statement.
The joint task force involved authorities from France, Germany, the Netherlands, Norway, Switzerland, Ukraine, the U.K., and the U.S., along with Europol and Eurojust, under the European Multidisciplinary Platform Against Criminal Threats (EMPACT).
The development also arrives weeks after representatives from the U.S., the European Union, and 30 other countries pledged to mitigate the risk of ransomware and harden the financial system from exploitation with the goal of disrupting the ecosystem, calling it an “escalating global security threat with serious economic and security consequences.”