Europol, along with international law enforcement partners, has apprehended five individuals suspected of involvement in a series of ransomware attacks affecting over 1,800 victims worldwide.
The arrests, including the apprehension of the criminal gang’s leader, age 32, and four of his most active accomplices, followed raids at 30 properties across Ukraine last week, according to Europol’s statement on Tuesday. The suspects remain unnamed.
Norwegian, French, German, and U.S. investigators assisted the Ukrainian National Police in the Kyiv investigation, while Europol established a virtual command center in the Netherlands to process the seized data during the searches.
According to a separate announcement from Ukraine’s Cyber Police, law enforcement officials confiscated computer equipment, cars, bank and phone SIM cards, and numerous electronic media items.
The police also seized cryptocurrency assets, including nearly four million hryvnias (around $110,000), and other alleged evidence of illegal activities.
The arrests mark the latest development in a multi-year investigation that resulted in the apprehension of 12 individuals in raids in Ukraine and Switzerland in 2021. In its announcement on Tuesday, Europol stated that its previous actions facilitated the identification of the suspects targeted during the recent action in Kyiv.
The five individuals apprehended last week stand accused of encrypting over 250 servers belonging to large corporations and extorting several hundred million euros from its victims.
The perpetrators are believed to have played various roles in the criminal network: some used brute-force attacks and stolen credentials to breach a victim’s network, some employed malware like Trickbot to remain undetected and gain further access, and others are suspected of overseeing the laundering of cryptocurrency payments made by victims to regain access to their stolen files.
Europol accused the hackers of causing significant disruption to targeted organizations. One of the ransomware variants used by the group was LockerGoga, the same type of malware employed in the cyberattack against Norwegian aluminum processor Norsk Hydro in March 2019. The attackers also used MegaCortex, Hive, and Dharma ransomware, according to Europol’s announcement.
Europol’s investigation into this criminal organization has also enabled Swiss authorities, in collaboration with Bitdefender and the European Union’s No More Ransom project, to develop decryption tools for the LockerGoga and MegaCortex ransomware variants. These tools enable victims to recover their stolen files without having to pay a ransom.