Global collaboration results in takedown of Ukrainian ransomware gang

The Ukrainian cybercriminal group that terrorized organizations globally has finally been disbanded. This is a result of an unprecedented Europol operation, with its final phase unfolding in the latter half of November 2023.

The arrests encompass members of the Ukrainian cybercrime group and followed several months of intricate investigation. This operation involved about 30 systematic property searches conducted on November 21, 2023. The activities, orchestrated in the regions of Kyiv, Cherkasy, Rivne, and Vinnytsia, culminated in the detention of a 32-year-old ringleader along with four of his main cohorts. Law enforcement also secured over a hundred diverse devices.

According to Europol's reports, the now-defunct group is responsible for around 1.8 thousand ransomware attacks, these having brought about losses estimated to be in the hundreds of millions of euros. These attacks mainly targeted large-scale organizations and multinational corporations in over 70 countries, though the actual number of successful attacks is possibly higher.

Law enforcement and judicial authorities from several countries participated in the operation. Institutions involved included the Ukrainian Prosecutor General's Office, the National Police, the French National Police, the German Prosecutor's Office in Stuttgart, the Dutch National Police, the Norwegian Investigative Service, the Swiss prosecutor's office and police, and the FBI among other American services. Eurojust facilitated their cooperation through a series of 12 coordinating meetings.

A joint investigative task force was instituted in September 2019. The initial wave of arrests took place two years afterwards. Now, another two years past, the case is shut with the apprehension of the primary figures in the cybercriminal group.

The criminals deployed a variety of tactics to penetrate IT security, ranging from rudimentary methods such as brute-force attacks to advanced phishing schemes and other forms of authentication data theft. Once embedded into the victims' networks, malicious software like Trickbot, Cobalt Strike, or PowerShell Empire was activated to extend access and stay concealed.

The subsequent step - often enacted many months after infiltrating victims' systems - involved deploying ransomware software such as LockerGoga, MegaCortex, HIVE, and Dharma. These programs encrypt files on computers and servers, subsequently displaying a message mandating a bitcoin ransom in exchange for decryption keys to unlock access.

There's some positive news for victims who didn't capitulate to the cybercriminals' demands. Forensic investigations accompanying this probe paved the way for the creation of decryption tools for LockerGoga and MegaCortex software. This solution, aided by Bitdefender, is freely available on the No More Ransom website.