In a collaborative effort with Europol and Eurojust, law enforcement agencies from seven nations have successfully apprehended the core members of a ransomware group operating in Ukraine. This group was responsible for launching attacks against organizations in 71 countries, resulting in significant disruptions to major corporations worldwide. The cybercriminals employed various types of ransomware, including LockerGoga, MegaCortex, HIVE, and Dharma, to paralyze their victims’ operations.
Eurojust stated, “After remaining undetected in the compromised systems, sometimes for months, the criminals would deploy different types of ransomware, such as LockerGoga, MegaCortex, HIVE, or Dharma. A ransom note was then presented to the victim to pay the attackers in bitcoin in exchange for decryption keys.”
The criminal network involved in these attacks had members with diverse roles. Some members were responsible for breaching IT networks, while others assisted in laundering the cryptocurrency payments made by victims to decrypt their files. The attackers gained access to their targets’ networks through various methods, including stealing user credentials through brute force and SQL injection attacks, as well as using phishing emails with malicious attachments. Once inside the compromised systems, they utilized tools such as TrickBot malware, Cobalt Strike, and PowerShell Empire to move laterally and compromise additional systems before triggering the deployed ransomware payloads.
The investigation revealed that this organized group of ransomware affiliates had encrypted more than 250 servers belonging to major corporations, resulting in losses exceeding several hundred million euros.
Ransomware Gang Arrests in Ukraine
Coordinated raids conducted on November 21st at 30 locations in Kyiv, Cherkasy, Rivne, and Vinnytsia led to the arrest of the 32-year-old mastermind of the group and the capture of four accomplices. The Ukrainian National Police received assistance from over 20 investigators from Norway, France, Germany, and the United States during the investigation in Kyiv. Europol also established a virtual command center in the Netherlands to process the data seized during the house searches.
The National Police of Ukraine’s Department of Cyber Police stated, “With the support of the TOR special unit, law enforcement officers conducted more than 30 authorized searches in the premises and cars of the suspects in Kyiv region, as well as in Cherkasy, Rivne, and Vinnytsia regions. Computer equipment, cars, bank and SIM cards, ‘draft’ records, as well as dozens of electronic media and other evidence of illegal activities were seized. In particular, almost 4 million hryvnias and cryptocurrency assets.”
This operation follows previous arrests made in 2021 as part of the same law enforcement action. Twelve additional suspects were detained, all linked to the same ransomware group responsible for attacks against 1,800 victims in 71 countries. The attackers in these previous incidents deployed LockerGoga, MegaCortex, and Dharma ransomware, as well as malware like Trickbot and post-exploitation tools such as Cobalt Strike.
Free LockerGoga and MegaCortex Ransomware Decrypters
As a result of the forensic analysis conducted, Swiss authorities, in collaboration with No More Ransom partners and Bitdefender, developed decryption tools for the LockerGoga and MegaCortex ransomware variants. These tools will assist victims in recovering their encrypted files.
This international police action was initiated by French authorities in September 2019 and focused on locating threat actors in Ukraine and bringing them to justice. The joint investigation team (JIT), comprising Norway, France, the United Kingdom, and Ukraine, received financial support from Eurojust and collaborated with Dutch, German, Swiss, and U.S. authorities.
The participating law enforcement agencies include:
- Norway: National Criminal Investigation Service (Kripos)
- France: Public Prosecutor’s Office of Paris, National Police (Police Nationale – OCLCTIC)
- Netherlands: National Police (Politie), National Public Prosecution Service (Landelijk Parket, Openbaar Ministerie)
- Ukraine: Prosecutor General’s Office (Офіс Генерального прокурора), National Police of Ukraine (Національна поліція України)
- Germany: Public Prosecutor’s Office of Stuttgart, Police Headquarters Reutlingen (Polizeipräsidium Reutlingen) CID Esslingen
- Switzerland: Swiss Federal Office of Police (fedpol), Polizei Basel-Landschaft, Public Prosecutor’s Office of the canton of Zurich, Zurich Cantonal Police
- United States: United States Secret Service (USSS), Federal Bureau of Investigation (FBI)
- Europol: European Cybercrime Centre (EC3)
- Eurojust
Eurojust stated, “In an unprecedented effort, law enforcement and judicial authorities from seven countries have joined forces with Europol and Eurojust to dismantle and apprehend key figures behind significant ransomware operations wreaking havoc across the world. The operation comes at a critical time, as the country grapples with the challenges of Russia’s military aggression against its territory.”