TechGlobal collaboration results in takedown of Ukrainian ransomware gang

Global collaboration results in takedown of Ukrainian ransomware gang

The Ukrainian cybercriminal group that terrorized organizations globally has finally been disbanded. This is a result of an unprecedented Europol operation, with its final phase unfolding in the latter half of November 2023.

Breaking up a cybercriminal group in Ukraine
Breaking up a cybercriminal group in Ukraine
Images source: © Europol

1:02 PM EST, November 29, 2023

The arrests encompass members of the Ukrainian cybercrime group and followed several months of intricate investigation. This operation involved about 30 systematic property searches conducted on November 21, 2023. The activities, orchestrated in the regions of Kyiv, Cherkasy, Rivne, and Vinnytsia, culminated in the detention of a 32-year-old ringleader along with four of his main cohorts. Law enforcement also secured over a hundred diverse devices.

According to Europol's reports, the now-defunct group is responsible for around 1.8 thousand ransomware attacks, these having brought about losses estimated to be in the hundreds of millions of euros. These attacks mainly targeted large-scale organizations and multinational corporations in over 70 countries, though the actual number of successful attacks is possibly higher.

International Response to Cybersecurity Threats

Law enforcement and judicial authorities from several countries participated in the operation. Institutions involved included the Ukrainian Prosecutor General's Office, the National Police, the French National Police, the German Prosecutor's Office in Stuttgart, the Dutch National Police, the Norwegian Investigative Service, the Swiss prosecutor's office and police, and the FBI among other American services. Eurojust facilitated their cooperation through a series of 12 coordinating meetings.

A joint investigative task force was instituted in September 2019. The initial wave of arrests took place two years afterwards. Now, another two years past, the case is shut with the apprehension of the primary figures in the cybercriminal group.

Methods Employed by the Ukrainian Cybercriminals

The criminals deployed a variety of tactics to penetrate IT security, ranging from rudimentary methods such as brute-force attacks to advanced phishing schemes and other forms of authentication data theft. Once embedded into the victims' networks, malicious software like Trickbot, Cobalt Strike, or PowerShell Empire was activated to extend access and stay concealed.

The subsequent step - often enacted many months after infiltrating victims' systems - involved deploying ransomware software such as LockerGoga, MegaCortex, HIVE, and Dharma. These programs encrypt files on computers and servers, subsequently displaying a message mandating a bitcoin ransom in exchange for decryption keys to unlock access.

There's some positive news for victims who didn't capitulate to the cybercriminals' demands. Forensic investigations accompanying this probe paved the way for the creation of decryption tools for LockerGoga and MegaCortex software. This solution, aided by Bitdefender, is freely available on the No More Ransom website.

Related content
© essanews.com
·

Downloading, reproduction, storage, or any other use of content available on this website—regardless of its nature and form of expression (in particular, but not limited to verbal, verbal-musical, musical, audiovisual, audio, textual, graphic, and the data and information contained therein, databases and the data contained therein) and its form (e.g., literary, journalistic, scientific, cartographic, computer programs, visual arts, photographic)—requires prior and explicit consent from Wirtualna Polska Media Spółka Akcyjna, headquartered in Warsaw, the owner of this website, regardless of the method of exploration and the technique used (manual or automated, including the use of machine learning or artificial intelligence programs). The above restriction does not apply solely to facilitate their search by internet search engines and uses within contractual relations or permitted use as specified by applicable law.Detailed information regarding this notice can be found  here.