A large-scale operation against a Ukrainian ransomware gang has proved successful. Seven national units worked together alongside Europol and Eurojust to track down the ringleader and 11 accomplices. The profile of the as-of-yet unnamed group shows once again how agile and wide-reaching cybercriminals are nowadays. In turn, the international operation shows precisely how to successfully combat such groups.
A 32-year-old man believed to be the ringleader of the ransomware gang was arrested in Kyiv on Oct. 26. In total, authorities targeted 12 individuals in Ukraine and Switzerland in the joint operation. In the process, they seized $52,000 in cash and five luxury vehicles.
French police launched the operation initially, escalating it to an international level. This led to the creation of a joint investigation team, which began working in cooperation with six other countries, as well as Europol and Eurojust. Independent parallel investigations have also taken place in the Netherlands, the United States, Germany and Switzerland.
Large organizations were the main targets, resulting in 1,800 victims
Eurojust’s announcement states that the hacker group mainly targeted critical infrastructure and large companies. The criminals allegedly exploited 1,800 victims, spread across 71 countries. This international impact is also reflected by the fact that most suspects are already under investigation in several jurisdictions.
The group engaged in various tasks, including infiltration attempts of IT networks via stolen credentials, SQL injections, phishing emails, and brute-force attacks. Lateral movements were partly enabled by malware such as Trickbot and tools such as Cobalt Strike and PowerShell Empire, reports Eurojust.
Multiple ransomware in use
Interestingly, the group did not restrict itself to any specific ransomware variant. Earlier this year, for example, authorities took down RagnarLocker, with the name referring to both the criminal organization as well as the ransomware software.
The anonymous group appears to have operated with a Ransomware-as-a-Service model, using multiple types of malware: LockerGoga, MegaCortex, HIVE and Dharma are mentioned by name. While all are designed to encrypt victims’ data, their implementation differs. For example, Dharma can be installed manually via a remote desktop session, while MegaCortex contains a hodgepodge of automation and manual components.
It shows the agility of modern cybercrime, where attackers deploy multiple types of software to invade organizations, remain undetected and encrypt or steal data.
The impact of EMPACT
Also notable is the length of the international operation against the group. The joint investigation team was set up in September 2019 by Norway, France, the United Kingdom and Ukraine. Eurojust provided part of the budget for the investigation team.
An operation like this requires significant oversight to pool resources and expertise successfully. Different jurisdictions and investigative actions require coordination – and, of course, money. Much of that budget came from Eurojust, EMPACT in particular. This European Multidisciplinary Platform Against Criminal Threats isn’t even all that well-known to the judiciary, according to Boštjan Škrlec, vice president at Eurojust. However, he emphasizes that EMPACT plays an important role in bridging the gap between national and international units so that criminal organizations can be tackled in a coordinated way. It also involves the expertise of private security parties.
Enrich Kron of KnowBe4, a company specializing in providing security awareness training, is satisfied with this approach. Speaking to SiliconANGLE, he reports that “coalitions like this have a significant and positive impact” on removing the burden from having to overcome regulatory hurdles. He also notes that the multi-faceted approach that this criminal organization employed, shows that companies need to have their IT security in order across many disciplines. In other words, any attack vector can be fatal.