Global Authorities Collaborate to Dismantle Ransomware Network Responsible for Widespread Attacks

Global Authorities Collaborate to Dismantle Ransomware Network Responsible for Widespread Attacks

(IN BRIEF) Judicial and law enforcement agencies from seven countries have joined forces to take action against a criminal network responsible for a series of damaging ransomware attacks worldwide. These attacks have affected over 1,800 victims in 71 countries, primarily targeting large corporations and causing losses totaling hundreds of millions of euros. A recent operation, supported by Eurojust and Europol, led to the arrest of the network’s ringleader and the detention of four suspects in Ukraine. This collaborative effort involved more than 20 investigators from multiple countries and follows a previous round of arrests in 2021. The network’s modus operandi involved infiltrating IT networks using various techniques, deploying ransomware, and demanding bitcoin payments in exchange for decryption keys. International cooperation and coordination played a crucial role in this successful crackdown on cybercriminals.

(PRESS RELEASE) THE HAGUE, 28-Nov-2023 — /EuropaWire/ — Judicial and law enforcement authorities from seven different countries have joined forces in an action against a criminal network responsible for significant ransomware attacks across the world. These attacks are believed to have affected over 1,800 victims in 71 countries. The perpetrators targeted large corporations, effectively bringing their business to a standstill and causing losses of at least several hundred millions of euros.

A recent operation supported by Eurojust and Europol led to the arrest of the ringleader and the detention of four suspects in Ukraine. A total of 30 places were searched and over a hundred digital equipment tools were seized.

More than 20 investigators from Norway, France, Germany and the United States were deployed to Kyiv to assist the Ukrainian authorities. This latest action follows a first round of arrests in 2021 in the framework of the same investigation.

The perpetrators are believed to have played different roles in the criminal network. Some were involved in the infiltration attempts, using multiple mechanisms to compromise IT networks, including brute force attacks, so-called SQL injection techniques to attack data applications, stolen credentials and phishing emails with malicious attachments. Once inside the network, some of these cyber actors used malware such as Trickbot, or post-exploitation frameworks such as Cobalt Strike or PowerShell Empire to remain undetected and gain further access.

After remaining undetected in the compromised systems, sometimes for months, the criminals would deploy different types of ransomware, such as LockerGoga, MegaCortex, HIVE or Dharma. A ransom note was then presented to the victim to pay the attackers in bitcoin in exchange for decryption keys.

International cooperation 

Initiated by the French authorities, a joint investigation team (JIT) was set up in September 2019 between Norway, France, the United Kingdom and Ukraine with financial support from Eurojust and assistance from both agencies. Since them, the partners in the JIT have been working closely together, in parallel with independent investigations by the Dutch, German, Swiss and US authorities to uncover the true magnitude and complexity of the criminal activities of these cyber actors and to establish a joint strategy.

Eurojust has hosted 12 coordination meetings to facilitate the communication and judicial cooperation between the authorities involved.

From the onset of the investigation, Europol’s European Cybercrime Centre (EC3) has been hosting operational meetings, providing digital forensic, cryptocurrency and malware support and facilitating the information exchange in the framework of the Joint Cybercrime Action Taskforce (J-CAT) hosted at Europol’s headquarters. The investigation has benefited from funding from the European Multidisciplinary Platform Against Criminal Threats (EMPACT).

The following authorities have been involved:

• France: Public Prosecutor’s Office of Paris; National Police (Police Nationale – OCLCTIC)
• Germany: Public Prosecutor’s Office of Stuttgart; Police Headquarters Reutlingen (Polizeipräsidium Reutlingen) – CID Esslingen
• Netherlands: National Public Prosecution Service (Landelijk Parket, Openbaar Ministerie); National Police (Politie)
• Norway: National Criminal Investigation Service (Kripos)
• Switzerland: Public Prosecutor’s Office II of the Canton of Zürich and Cantonal Police of Zürich
• Ukraine: Prosecutor General’s Office (Офіс Генерального прокурора), National Police of Ukraine (Національна поліція України)
• United States: U.S. Department of Justice’s Computer Crime and Intellectual Property Section; U.S. Attorney’s Office for the Eastern District of New York; U.S. Secret Service (USSS); Federal Bureau of Investigation (FBI)

Media Contact:

Eurojust Press Team
Phone: + 31 70 412 55 00
media@eurojust.europa.eu

SOURCE: EUROJUST