Ransomware gangs have been able to conduct thousands of attacks on businesses with little threat of being caught, but the massive increase in attacks in 2020 and 2021 has seen law enforcement efforts to combat the cybercriminal activity stepped up.
In the United States, ransomware attacks have been elevated to a level similar to terrorist attacks following high profile attacks on critical infrastructure, with the U.S. and its partners recently succeeding in taking down the infrastructure of one of the most prolific ransomware gangs of the past couple of years – REvil (Sodinokibi).
Now Europol has announced a big success from a major ransomware operation that targeted multiple cybercriminal groups responsible for deploying LockerGoga, MegaCortex, and Dharma ransomware in more than 1,800 attacks in 71 countries.
12 individuals suspected of playing significant roles in the attacks have now been arrested. The arrests include hackers who provided access to business networks via phishing campaigns, brute force attacks, and SQL injection, lateral movement specialists who used TrickBot, PowerShell Empire, and Cobalt Strike, and individuals involved in processing ransom payments and laundering the money through a variety of mixing services before cashing out.
The arrests were the result of a long-running investigation into ransomware activity by a joint investigation task force (JIT) consisting of law enforcement agencies in Norway, France, Ukraine, and the United Kingdom that was set up in September 2019.
The arrests were made in a coordinated takedown in Ukraine and Switzerland in the early hours of October 26, which involved police forces in 8 countries. $52,000 in cash was seized along with 5 luxury vehicles and computer equipment suspected of being used in the attacks. A forensic investigation of the devices is now underway.
While 12 arrests have been made, it is currently unclear whether any of the individuals have been – or will be – charged. Europol only said the 12 individuals are high-value targets that have been investigated for their roles in several high-profile attacks in different jurisdictions.
According to Europol, after gaining initial access to victims’ networks, the hackers would remain undetected for months while they silently moved laterally probing the network for weaknesses to exploit, before finally delivering ransomware and encrypting files to monetize the attacks.
JIT members have been investigating the attacks for months and have been working closely with law enforcement agencies in the Netherlands and United States who were conducting separate investigations, with Europol and Eurojust coordinating the operation.
More than 50 foreign investigators were deployed in Ukraine along with six Europol specialists for the action day to assist the Ukraine National Police in conducting joint investigative measures. The takedown is being hailed as a major success in the fight against ransomware.
Separately, an investigation conducted by media firm Zeit Online, German broadcaster Bayerischer Rundfunk, and the Baden-Württemberg State Criminal Police Office (LKA), has identified an individual believed to be a major player in the REvil ransomware operation. The investigation has taken months of painstaking work tracking Bitcoin payments and communications through anonymous Telegram channels. The research allowed the researchers to identify a Telegram account used by a person of interest who had received payments totaling €400,000 in Bitcoin, which had been made in at least 6 transactions from accounts connected to criminal enterprises.
That individual, known as Nikolay K on social media accounts, is believed to be a core member of the REvil ransomware group, who is understood to be living in Crimea. Nikolay K is a Russian billionaire known for his showy lifestyle, which is thought to be financed by money made through REvil ransomware attacks.
The REvil ransomware operation has now been severely disrupted, with law enforcement taking down its infrastructure in July following attacks on Colonial Pipeline, JBS, and Kaseya, and again in October when attempts were made to restore it.
The ransomware-as-a-service operation lost credibility in the hacking world when it was revealed the operators were failing to pay affiliates for conducting attacks, often taking over negotiations by using a hidden backdoor, which allowed them to take over negotiations and pocket the ransom payments and cut out the affiliates. REvil is believed to be a rebrand of the GandCrab ransomware operation, which was similarly prolific until it shut down in 2019, shortly before REvil appeared.
An arrest warrant has been issued by the LKA for Nikolay K, but in order to be arrested and face criminal charges, he would have to leave Russia and travel to a country that has an extradition agreement with Germany. Such a trip seems unlikely.