12 notorious ransomware actors nabbed in major Europol-led operation

12 notorious ransomware actors nabbed in major Europol-led operation

12 notorious ransomware actors nabbed in major Europol-led operation

Europol has announced the arrest of 12 cyber criminals who were behind multiple ransomware attacks against companies across the globe, including critical infrastructure organisations.

According to Europol, the attacks launched by these cyber criminals affected over 1,800 victims in 71 countries. The victims included large corporations who suffered significant damage as a result of these attacks, effectively bringing their business to a standstill.

The joint law enforcement operation, which took place on 26 October in Ukraine and Switzerland, resulted in the seizure of cash, luxury vehicles, and electronic devices. “Most of these suspects are considered high-value targets because they are being investigated in multiple high-profile cases in different jurisdictions,” Europol said via a press release.

Each of these cyber criminals have played a significant role in multiple cyber attacks. Some of them were in charge of infiltrating IT systems and deploying ransomware while others attacked the system using brute-force attacks, SQL injections, phishing emails, and stolen credentials. 

According to Europol, these cyber criminals also deployed LockerGoga, MegaCortex, and Dharma ransomware among others to extract huge payments in form of Bitcoin from organisations in exchange for the decryption key. Others concentrated on lateral movement and deployment of malware such as Trickbot or post-exploitation frameworks such as PowerShell Empire and Cobalt Strike.

“More than 50 foreign investigators, including six Europol specialists, were deployed to Ukraine for the action day to assist the National Police with conducting jointly investigative measures. A Ukrainian cyber police officer was also seconded to Europol for two months to prepare for the action day.

Soon after the arrests took place, the BlackMatter ransomware group, which security researchers believe is the Darkside ransomware gang operating under a new name, announced plans to shut down operations due to immense pressure from the authorities and recent law enforcement operations. However, we can not say for certain if the two events are related.

Calvin Gan, Senior Manager with F-Secure’s Tactical Defense Unit, says that law enforcement operations certainly have a major impact on how cyber criminals operate. 

“With recent arrests and takedowns of different ransomware groups (REvil infrastructure taken down, Europol detaining a Ukrainian group linked to a few ransomware attacks), it is probably a proactive step for these ransomware groups to lay low for the moment. This shouldn’t be seen as the end because the financial motivation behind these attacks is probably far too large for them to give up easily. At the same time, there are still other active ransomware groups that are operating so organizations and defenders should not be taking a breather but focus on disrupting them further.

“It would not be surprising if this particular group rebrands in later months, as this would not be the first time nor the first group who has rebranded (eg. REvil a rebrand of GandCrab, Conti ransomware being the successor of Ryuk or Karma ransomware likely a rebrand of Nemty ransomware),” he said.

Also Read: DarkSide’s alter ego BlackMatter shuts shop citing law enforcement pressure

Copyright Lyonsdown Limited 2021

Top Articles

2,500 years of Threat Intelligence

In order for threat intelligence to deliver as promised, we need to heed Sun Tzu and start with a data-driven approach.

Don’t fall foul of homoglyph web domains

Homoglyphs are characters from other scripts, which can look like Latin letters. They are used in domain names and they are very hard to spot.

Cyber attack targeted Spanish beer maker Damm; halted brewery operations

Damm, Spain's second largest beer-making company, suffered a major cyber attack targeting one of its IT systems last week.

Related Articles

[s2Member-Login login_redirect=”https://www.teiss.co.uk” /]