Europol has announced the arrest of 12 cyber criminals who were behind multiple ransomware attacks against companies across the globe, including critical infrastructure organisations.
According to Europol, the attacks launched by these cyber criminals affected over 1,800 victims in 71 countries. The victims included large corporations who suffered significant damage as a result of these attacks, effectively bringing their business to a standstill.
The joint law enforcement operation, which took place on 26 October in Ukraine and Switzerland, resulted in the seizure of cash, luxury vehicles, and electronic devices. “Most of these suspects are considered high-value targets because they are being investigated in multiple high-profile cases in different jurisdictions,” Europol said via a press release.
Each of these cyber criminals have played a significant role in multiple cyber attacks. Some of them were in charge of infiltrating IT systems and deploying ransomware while others attacked the system using brute-force attacks, SQL injections, phishing emails, and stolen credentials.
According to Europol, these cyber criminals also deployed LockerGoga, MegaCortex, and Dharma ransomware among others to extract huge payments in form of Bitcoin from organisations in exchange for the decryption key. Others concentrated on lateral movement and deployment of malware such as Trickbot or post-exploitation frameworks such as PowerShell Empire and Cobalt Strike.
“More than 50 foreign investigators, including six Europol specialists, were deployed to Ukraine for the action day to assist the National Police with conducting jointly investigative measures. A Ukrainian cyber police officer was also seconded to Europol for two months to prepare for the action day.
Soon after the arrests took place, the BlackMatter ransomware group, which security researchers believe is the Darkside ransomware gang operating under a new name, announced plans to shut down operations due to immense pressure from the authorities and recent law enforcement operations. However, we can not say for certain if the two events are related.
Calvin Gan, Senior Manager with F-Secure’s Tactical Defense Unit, says that law enforcement operations certainly have a major impact on how cyber criminals operate.
“With recent arrests and takedowns of different ransomware groups (REvil infrastructure taken down, Europol detaining a Ukrainian group linked to a few ransomware attacks), it is probably a proactive step for these ransomware groups to lay low for the moment. This shouldn’t be seen as the end because the financial motivation behind these attacks is probably far too large for them to give up easily. At the same time, there are still other active ransomware groups that are operating so organizations and defenders should not be taking a breather but focus on disrupting them further.
“It would not be surprising if this particular group rebrands in later months, as this would not be the first time nor the first group who has rebranded (eg. REvil a rebrand of GandCrab, Conti ransomware being the successor of Ryuk or Karma ransomware likely a rebrand of Nemty ransomware),” he said.